Kicking off October Cyber Awareness Month! Tips & tricks: Best practices for preparing & responding to a cyber incident
How do you stay one-step ahead when you didn’t know you were even in the race? The unsavory truth is no business is safe from cyber threats, criminals target everyone whether you are a Fortune 500 company or the mom-and-pop shop on the corner. The extent of damage caused by a security incident can be mitigated by implementing a few key steps both before and during an incident.
1. If you have the opportunity to prepare, do it!
Responding to a security incident, whether ransomware or theft of a device, can throw your business into chaos if your team is not well-equipped. Seconds are precious—potentially accounting for the difference between your business recovering from or succumbing to the threat.
- Businesses should consider implementing an Incident Response Plan (IRP) as a proactive measure. An IRP provides a roadmap to help traverse a cyber threat by outlining a number of items including: management and coordination, roles and responsibilities, pertinent legal definitions and obligations, model communications for stakeholders, insurance information, and a clear path and prioritization for each stage of response (preparation, detection and reporting, containment and eradication, recovery, investigation, and legal notification requirements).
- Know whether you have cyber insurance coverage and if not, consider obtaining policy coverage for your business. Costs attributable to a cyber incident pile on quickly from forensic vendor support, remediation and hardening measures, business interruption costs, and more.
- Know what you have and where you have it by conducting an audit and itemizing the various servers, systems, workstations, etc. utilized by your business. If impacted by a cyber incident, knowing the lay of the land will significantly reduce the downtime between first observance and initiation of remediation measures. This audit will further better serve you if it identifies what type of information is stored where—such as employee personal information, client contracts, and administrative materials—and who needs to be notified if a security event occurs—such as customers or clients who have contractual provisions obligating notice. In addition to the physical audit, conducting a security audit at various intervals will ensure your business can identify any potential vulnerabilities that may be exploited by threat actors. A current data audit can also go a long way in prioritizing what systems need to come back online first during an attack (see IRP above).
- Implement and enforce MFA! Multi-factor authentication, although not impenetrable, will greatly reduce the likelihood of a threat actor gaining entry to your systems with compromised credentials. Essentially, make yourself a less attractive target. Consider implementing—and enforcing—MFA throughout your environment including your email tenant, VPN, or other access points with sensitive or confidential information.
- Back up important data and test the viability of those backups regularly. If you have a third party handling this for your organization, periodically audit them to ensure the process is being done properly. Ensure the backups are in a safe place, inaccessible to threat actors if at all possible.
- Keep your software up to date with the most current version. Patch vulnerabilities regularly. Again, if the organization has a third party performing these duties, audit them to ensure that the updates are being performed timely. Software that is at the end of life should be fast-tracked for replacement given that security patches will no longer be available.
- Employ basic cyber hygiene principles. Use antivirus software and a secure VPN. Avoid using public networks and create strong and unique passwords. Be sure to routinely provide your employees with phishing scheme awareness and other training so these measures become second nature.
2. Get insurance involved ASAP.
Generally speaking, cyber insurance covers your business’ liability and losses resulting from a cyber incident. Policies can cover a variety of incidents including data breaches (confirmed incidents resulting in the access or acquisition of personal information), cyber incidents on your network (such as ransomware or a business email compromise), and third-party vendors experiencing a cyber incident wherein your data is impacted. These policies potentially also may cover defense for potential litigation or regulatory investigations.
If you do have coverage, by getting the carrier involved at the ground floor you may be able to take advantage of their panel vendor relationships and receive services at a preferred-partner rate. Moreover, businesses will save themselves the headache during the claims process by ensuring your carrier is reviewing and approving the statements of work by the various vendors involved. This preparation can also avoid being at the back of the line when service providers are at capacity responding to wide-scale cyber events.
3. Communication is key.
In the midst of the madness, one of the most challenging feats is properly coordinating communication between relevant parties at the appropriate time. (Again, see IRP above.) A security incident is not restricted to the insured and the carrier but, seemingly, a limitless stream of parties involved in varying stages from initial response to restoration and can include in-house counsel, forensic vendors, threat actor communication vendors, notification and mailing vendors, brokers, carriers, law enforcement, employees, investors, business partners, customers, regulators, and so on.
At a minimum, there are a few cornerstones to effective communication during a security incident.
- Designate leadership. As the old adage states: too many cooks in the kitchen spoil the broth. In addition to your breach coach (attorney) coordinating communication between vendors, carriers, and the business, your company should articulate the appropriate points of contact to run the show internally. Depending on the structure of your business, this may take shape by designating a point of contact for IT remediation, customer-facing remediation, business operations, etc. Assess the basics of your operation and designate only the amount necessary without over-dissecting your operation.
- Stay in touch. Setting up an appropriate call cadence ensures that one hand knows what the other is doing. Moreover, by keeping everyone in the loop, you are able to help piece the puzzle together without important items falling off the radar entirely. This may demand a daily or every-other day touch-point to keep apprised of all relevant developments. The IRP may also delineate with more granularity what decision-makers and staff need to be on what update calls and email communications, freeing those without an immediate stake in the conversation to focus on their tasks.
- Keep the circle small. Communication is important to not only restore operations as quickly as possible, but to avoid falling into your own trap by communicating too much too quickly. Incident response is fast-paced and fluid—factual circumstances evolve day-by-day, minute-by-minute. How and to whom information is communicated is not the only consideration, but what and when things are said about the incident can have detrimental effects. Some individuals being in the loop are necessary at the incident’s origination while others need only be provided high-level information until necessary deliverables are available. Expanding communications beyond obligatory parties threatens attorney-client privilege, potentially exposes the business to a class action lawsuit, and impedes relationships with law enforcement and regulators.
4. Know and assess your legal obligations: statutory, regulatory, and contractual.
Entities should be prepared by not only reviewing their contractual obligations pursuant to agreements with private parties, but also making themselves familiar with their industry’s regulatory and statutory obligations. The concept of “data privacy” is vast; however, certain industries have particularized regulations that impose responsibilities not only in what an entity’s legal compliance needs are when responding to an incident, but also how data is collected, stored, used, and secured. This is where guidance from a breach coach / data privacy counsel can be invaluable to ensure an organization is in compliance with its obligations.
Contractual: Parties may enter into agreements that include data privacy provisions dictating how to secure data, but also when one party must inform the other about a potential “security incident” or “data breach.” Businesses should be wary with such provisions as the time to inform the other party can be influenced by a number of factors, but most notably:
- 1. When is the notice triggered? Some provisions may require that Entity A inform Entity B only in the event that forensics has determined a data breach occurred impacting Entity B’s data. Other provisions may require Entity A inform Entity B in the event a potential security incident is observed, a much earlier notice trigger in the incident response timeline.
- 2. How long does the business have to tell the other party? Once the provision is triggered, Entity A may only have a few hours to inform Entity B that the event occurred. Some provisions may require expeditious written notice within only 12 hours, other provisions may allow Entity A to inform Entity B within a reasonable period of time but with undue delay.
- 3. How is the reporting performed? Often times, there is a specific point of contact to where a letter report should be sent but there can also be portals or other mechanisms for reporting in compliance with the contract terms.
Regulatory: The financial, insurance, educational, aerospace and defense, and health care industries are strictly regulated and, not surprisingly, promulgate extensive requirements for data handling. However, as the landscape evolves, less flashy industries have also secured space in the data privacy fold including utility and data broker sectors. Even more complex privacy regulations arise when businesses transverse into blended industries (or geographic areas) and operate both as brick-and-mortar and web-based. It is imperative business are aware of and understand the potential regulatory corners that their business touches or otherwise potentially face debilitating fines.
Statutory: To further complicate the already confusing menagerie, businesses must comply with federal, state, and international data privacy laws. All states have some form of a data breach notification law, but an increasing number of states are passing more robust data privacy laws similar to that of California’s Consumer Privacy Act. Businesses seeking a reprieve may breathe easier knowing that there is not currently a federal omnibus data privacy law, but lest not forget the sector-specific acronym flurry such as COPPA, HIPAA, FCRA, GLBA, FERPA, ECPA, and more.
If your business markets, solicits, or otherwise operates beyond the United States’ border, do not forget international regulations varied by country, province, and sector. Governments across the globe are attempting to keep pace with the morphing landscape and should your business be caught unprepared, you may ultimately lose the foot race and fall well-behind the mark.
5. Redouble efforts: reassess your cyber security posture, as well as your policies and procedures, so you are better position for a cyber event in the future.
What are your weaknesses? Where are you vulnerable? Threat actors are continuously adapting to new technology and so should you. Following a cyber event, if you have engaged a forensic vendor or if your IT team is well equipped to determine entry vectors or intrusion methods, it is imperative that those weaknesses are shored up.
Moreover, the completion of a cyber event is a prime opportunity to conduct a post-mortem on how your business responded, your current cybersecurity policies and procedures in practice, and potential areas of further data fortification and training. Reviewing and implementing updated policies (if need be) serves purposes beyond bolstering your preparedness posture for a future attack, but may also mitigate your liability exposure in the event of governmental investigations or private litigation.
These steps might seem daunting or overwhelming, but fear not because your breach coach is there to help you navigate before, during, and after an incident. Whether you are starting from scratch or refining your policies and procedures, McDonald Hopkins is here to help. Our national data privacy and cybersecurity attorneys have a wealth of experience advising clients in a myriad of industries on the rapidly changing state, federal, international, and industry privacy and breach notification laws. If you suspect that your organization has suffered a privacy incident or would like more information about pre- and post-incident services, call our 24/7 hotline at 855-MH-DATA1 (855-643-2821) or email IncidentResponse@mcdonaldhopkins.com.
Please see our other publications summarizing a variety of legislative updates here or subscribe for more information.