On March 9, 2022, the Securities and Exchange Commission put CEOs and the boards of publicly traded companies on notice. The investing public, it said, has the right to know if companies are prepared for cybersecurity attacks.
As such, the agency proposed regulatory changes to cyber risk management, cyber governance, and cyber incident reporting. The proposed rules will increase corporate accountability on cyber risk from the boardroom to the C-suite on down. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend,” said SEC Chair Gary Gensler. “Investors want to know more about how issuers are managing those growing risks.”
With nation-state cyberattacks an ever-present threat and ransomware now part of everyday conversation, organizations around the world have been understandably bracing for the worst. But are they prepared?
For many, the resounding answer is no. Just 46% of organizations say they have a cybersecurity incident response plan (IRP) in place to identify, respond to, and recover from specific types of cyberattacks, and only 26% of organizations have an IRP that’s applied consistently across the enterprise, according to a 2021 report from IBM Security.
“Ransomware and other cyberattacks are impacting industries both small and large, and we’re seeing a rise in both the number and the impact that these cyberattacks can have,” says Erin Bajema, managing associate and cyber sector lead at Hagerty Consulting. “Companies need to assume that they will be impacted by a cyberattack and make sure they have a plan in place should something happen.”
While IT and security teams are responsible for the technical details of incident response, the CEO and other senior leadership must play an active role. The problem: Many leaders don’t understand the role they should play, according to Quentin Hodgson, senior international and defense researcher focusing on cybersecurity and risk management at the Rand Corporation.
“Senior leadership know what they’re responsible for on a day-to-day basis, but they might not understand who’s responsible for making decisions and taking actions during a cyber incident,” Hodgson says. That’s why establishing an incident response plan—and keeping the C-suite informed about it—is essential. “When there isn’t a tried and tested plan in place, you’re going to encounter a lot of chaos in an already stressful situation.”
A good plan addresses five elements. These elements align with the major phases of incident response, according to the IEEE Computer Society: preparation, identification, containment and eradication, recovery, and lessons learned.
1. Prepare your people and processes for incident response
Preparation is the most crucial phase of incident response because it sets the tone for how well an organization responds to a crisis, according to IEEE. To prepare for a cyberattack, the computer security incident response team (CSIRT)—which is typically composed of security and IT staff as well as members from human resources, public relations, legal, and the executive board—should review existing security policies and tools and perform a risk assessment to determine which vulnerabilities remain, the likelihood that those vulnerabilities could be exploited, and how easily the vulnerabilities can be detected.
Keeping stakeholders engaged
in preparedness sets you upfor success.
CEOs and executive leaders should outline their potential concerns and challenge some of the underlying assumptions in their response plan, Hodgson says. This might include questioning which resources may actually be available in case of a cyberattack and the ability of the organization and specific individuals to quickly perform necessary damage control and repair.
People might not be on the same page, so it’s critical for team members to have an initial conversation about what they expect to do during a potential incident, the kinds of actions they want to take, and the consequences they are most concerned about.
“What happens if Sally is on vacation when an incident occurs?” Hodgson asks. “Who is empowered to make decisions? Are we making assumptions about our ability to do things that might not hold? These are good questions to ask and conversations to have to frame what the planning looks like.”
CEOs should ensure that IRPs consider worst-case scenarios, the Cybersecurity and Infrastructure Security Agency (CISA) advises. Extreme measures may need to be taken to protect an organization’s most critical assets in case of an intrusion, such as disconnecting some high-impact parts of the network.
CISA recommends that enterprises review the U.S. government’s latest Incident and Vulnerability Response Playbooks, published by CISA late last year. CEOs and senior leadership should also participate in tabletop exercises to ensure they are familiar with how the organization will manage a major cyber incident. These exercises should be performed annually, at a minimum, Hodgson adds.
“Incident response and management go well when coordination pieces have been practiced ahead of time,” Bajema says. “This gives you a chance in a no-fault environment to see what’s going well with relationships across the organization, what’s difficult, and what you need to work on. Keeping stakeholders engaged in preparedness sets you up for success.”
2. Identify cyber incidents and report them
During the identification phase, organizations determine when a security deviation should be considered an incident. Incident identification involves collecting evidence, determining the priority of the incident, and documenting any actions taken. The CSIRT should identify the appropriate time to contact stakeholders and relevant outside parties.
The most important aspect of planning for this phase is knowing how to classify the severity of an incident, Bajema says. “Just like hurricanes, cyber incidents come in all severities, based on how big an impact they may have,” she says. “Cyberattacks that impact one piece of one system are considered less severe than something that’s taking down the entire cyber infrastructure. CEOs should understand what’s being impacted now and what has the potential to be impacted next.”
Given today’s elevated threat levels, CISA recommends that CEOs lower their incident reporting thresholds. Any indication of malicious cyberactivity—even if security controls block an attack—should be reported to CISA. (The 24/7 Operations Center at CISA can be reached by emailing [email protected] or calling 888-282-0870; or you can call an FBI field office.) “Lowering thresholds will ensure that we are able to immediately identify an issue and help protect against further attacks or victims,” the agency says.
Once leaders have determined the severity of an incident, executives need to be ready to walk through the CSIRT’s roles and responsibilities, identify the monitoring that needs to be performed, determine the steps needed to actively contain an incident, identify information management elements to discuss, and clearly assign responsibility for each of those, Bajema says.
The core group of individuals involved in planning conversations
for this phase may look different depending on the organization
and the type of attack, Bajema says. With a smaller incident, CEOs should likely include the senior IT leader, someone overseeing
critical business operations, human resources, public relations, legal, and marketing.
CEOs should be ready to facilitate the conversation across groups
in the organization: “As an executive, you won’t be the one fixing
the software, but you’ll be helping to coordinate the different pieces
of the response and maintain communications across the board,”
3. Contain and eradicate network infections
After identifying the incident, it needs to be contained to prevent further damage. Then it must be eradicated to remove existing infections and any attackers who remain in the system. This phase involves isolating affected parts of a network or disabling infected devices, replacing infected systems or devices with clean versions, and patching exploited and new vulnerabilities. Cybersecurity and IT teams largely have this responsibility.
Often, plans are just put together by isolated individuals and placed on a shelf where they become stale and lose relevance.
During this period, CEOs will need to focus on the continuity of operations, Bajema says. “If you’re a bank that’s experiencing a cyber incident, for example, how do you continue to keep your bank branches open?” she asks. CEOs should also ensure that investments in security and resilience focus on systems that support their organization’s critical business functions.
Hodgson recommends that CEOs be involved in conversations about the cost of full eradication and the replacement of IT infrastructure to get the organization back up and running. “Cost is a significant issue that the CEO and others will have to understand and think through in order to make decisions,” he says.
4. Recover and test network systems and devices
During the recovery phase, systems and devices should be brought back up and tested to ensure they’re no longer vulnerable. IT and security staff monitor these systems for an established period
of time to ensure that attackers have been eliminated and to
At the executive level, CEOs should be involved in conversations about how to restore services in a way that allows them to manage the changes they’ve experienced. “You’re looking at a return to a new normal. You’re adjusting how you’re working—you may be working with new hardware—and, most important, you’re looking at essential functions and services and how you’ll continue to offer them in this new environment,” says Bajema.
5. Create an after-action report to identify what worked and what didn’t
Following recovery from an incident, organizations should plan to create an after-action report. As part of that report, executives develop an improvement plan that identifies both the strengths and weaknesses in their response and the issues that arose when they lacked protocols, Bajema says. After compiling the report, it’s important to walk through the lessons learned and follow through with concrete fixes.
“You can’t assume that because you’ve been through [an attack] once, it won’t happen again,” Hodgson says. CEOs should lead conversations about how to be better prepared for the future, he says. “Should people get additional training? What did we not know that would have been useful to know at the time? How do we communicate better? The CEO isn’t going to answer those questions, but should push his or her team to address them,” Hodgson says.
The more thought, testing, and practice that go into an IRP, the smoother the recovery, Hodgson says. “Often, plans are just put together by isolated individuals or small teams and placed on a shelf where they become stale and lose relevance,” he says. “Of course, it’s impossible to predict how an incident will play out, but the more thorough you are with the planning, the better equipped you’ll be to handle it.”
In other words, CEOs who play an active role preparing an incident response plan, can rest easier knowing that their organization has further hardened its security defenses against an attack.