By Michael Sher, Groupdolists:
Along with all the blessings of technology’s rise has come increased vulnerability to cybercrime. More technology can mean more pathways through which criminals can penetrate your cyber system and inflict great harm with ransomware, identity theft, cyber espionage or IP theft.
These kinds of cybercrimes cost organizations nearly $600 billion globally per year, according to recent McAfee estimates. In 2018, identity theft alone affected more than 1.7 billion people.
Strengthening your organization’s cybersecurity framework has never been more urgent. Here are five steps all organizations can take to help fortify their defenses against the virtual inevitability of a cyberattack:
[NOTE: This article originally appeared on Homeland Security Today.com as part of National Cybersecurity Awareness Month and reprinted with permission of Groupdolists.]
Step 1. Adopt and Follow Cybersecurity Standards
The first step is to adopt standards, including cybersecurity best practices, advocated by and readily available from the National Institute of Science and Technology (NIST), the International Organization for Standardization (ISO), and the Open Web Application Security Project (OWASP). Many IT teams are already familiar with these cybersecurity best practices. Some 64 percent of organizations have adopted at least some of the NIST standards.
A good way to get started with key standards is to follow the CIS (Center for Internet Security)’s Top 20 CSC (Critical Security Controls), which are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyberattacks. The CSCs are developed, refined and validated by a community of leading experts from around the world, including U.S. government agencies, commercial experts and penetration-testing experts. These standards intersect with many we will discuss below.
There are, of course, costs associated with adopting standards, and putting all of them in place at once will not be feasible for all organizations. But each organization should nonetheless pick and choose which standards they can reasonably adopt now and add more standards over time.
One fundamental standard is at the heart of cybersecurity: “Every organization should locate its cybersecurity measures within a broader context of an enterprise-wide crisis management system.”
NIST’s Framework for Improving Critical Infrastructure Cybersecurity emphasizes this point in its list of attributes that characterize the most mature state of cybersecurity:
- “Cybersecurity risk management is part of the organizational culture.
- The relationship between cybersecurity risk and organizational objectives is clearly understood and considered when making decisions.
- Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risk.
- Business units implement executive vision and analyze system-level risks in the context of the organizational risk tolerances.”
The importance of integrating the departmental cybersecurity team with the organization’s overall crisis management system should be obvious: when a cyber breach steals your customers’ credit card information, you’ve got far more than a cyber breach problem. The survival of the entire enterprise is at stake. You can learn more about the NIST framework from this NIST video.
Step 2. Integrate Your Cybersecurity Framework with the Organization’s Incident Response/Crisis Management System
The NIST model makes clear the importance of making cybersecurity a crucial element of the surrounding organization-wide system. Achieving that goal requires commitment – both from the senior management making up the crisis response team and from the IT/cybersecurity department.
They should begin by integrating their technologies. Digitized cybersecurity-related plans need to be integrated into the incident response/management technology being used by the organizational response team to manage a crisis.
The best incident response mobile apps interact easily with various types of technology infrastructures, including emergency notification systems, departmental cybersecurity response plans, databases, etc. Integrating cybersecurity departmental risk management and response plans into the wider organizational crisis plans and its technology-driven crisis management processes formally makes cybersecurity part of the enterprise-wide incident response and management system.
In the scenario of a cyberattack stealing your customers’ credit card information, the departmental cyber response plan would be executed in concert with the “bigger-picture,” organizational incident response plans.
Cybersecurity activities need to be closely coordinated with the senior management making up the crisis team at the center of an organization’s crisis management system. The IT department’s involvement is crucial to incident response team members, enabling them to address correctly the myriad operational and stakeholder communication challenges that stem from a cyberattack, which would afflict the entire organization.
To work together successfully, an organizational crisis management system needs to have a constant flow of information both to and from the IT/cybersecurity team. Their collaboration is crucial, and admittedly burdensome to the IT folks, because while having to constantly inform the big picture, they need to actively be engaged in trying to understand how the breach occurred and figure out how to remedy the situation. But their efforts are well worth it, because collaboration of the cybersecurity experts with the organizational response team will enable a team’s members to develop more powerful, better coordinated incident response and crisis management strategies, as well as messages and tactics.
The team needs also to activate its customer relations strategy, issue an initial holding statement for the media, implement its strategy for dealing with an angry social media onslaught against the organization, send a letter to shareholders, and so forth – all informed by the IT/cybersecurity experts.
Step 3. Assign an IT/Cybersecurity Expert to the Overall Crisis Team
In the case of a cyberattack, an organization’s top IT/cybersecurity professionals should obviously be the “go-to” Subject Matter Experts (SMEs). But it’s hard to imagine any sort of crisis today that would not involve at least some aspect of technology.
At the very least, IT people need to be involved in setting up or beefing up monitoring and, importantly, the analysis of news media coverage and social media. News coverage and social media directly affect incident management actions, while simultaneously serving as indicators of incident management progress.
Unfortunately, in too many organizations, IT professionals are disconnected from an organization’s senior leadership and incident response team. Facebook’s cyber breach experience from a few years ago showed how even in the largest tech companies there can be a dangerous disconnect between IT teams and senior leadership. As the New York Times reported in its exhaustive coverage of the handling of the Facebook cyber breach:
“It was September 2017, more than a year after Facebook engineers discovered (emphasis added) suspicious Russia-linked activity on its site, an early warning of the Kremlin campaign to disrupt the 2016 American election. Congressional and federal investigators were closing in on evidence that would implicate the company.”
The Facebook example is a cautionary tale proving how crucial it can be to have in place an IT/cybersecurity expert as a permanent member of an organization’s incident response team.
Step 4. Conduct Regular Exercises
Crisis simulation exercises are the only way for one to evaluate and improve your organization’s cybersecurity program and ensure that it works within the context of, and in lockstep with, your organization’s incident response/crisis management system.
The crisis plan and response team are two of the three components at the core of the organization’s crisis management system. The third component of that core is the commitment to continuous evaluation and improvement. An organization can only be at peak readiness if it is regularly evaluating and improving its plans and the performance of its crisis team.
The most effective way to evaluate and improve cybersecurity response plans, to assess how well they mesh with the bigger picture of organizational crisis management, is to simulate a cybersecurity crisis in an exercise where, as would be the case in an actual event, the entire organization is impacted by the scenario. The exercise should test not only the cybersecurity plan but will also test that IT security plans closely integrate with the overall crisis plan. An exercise will test how well IT leaders engage with the response team and its crisis management technology.
Exercises can range from the simple to the elaborate – from an orientation seminar to a “tabletop exercise,” all the way up to a full-scale exercise that could include outside agencies such as law enforcement. Whatever types of exercises are chosen, they are the only way, outside of an actual crisis, to test and improve a cybersecurity framework and see how well it meshes with overarching crisis plans and responses of the organization.
Step 5. Integrate the Cybersecurity Team with the Organizational Crisis Management Team’s Technology Platform
Optimal preparedness in an organization should be thought of as a coordinated system. Think of a fine watch whose gears and springs work together with precision. At the core of the preparedness model are three components: 1. a digitized crisis plan, 2. a trained response team, and 3. continuous evaluations so the plans and team are always improving.
These three core components are bound together to work in harmony by a surrounding technology infrastructure that must include software designed specifically for managing an incident response. The crisis response team members should be using a mobile crisis management platform that alerts and convenes the team in seconds, no matter where its members are in the world. The app should enable them to work together seamlessly and with much less stress to manage the crisis. It also enables team members to manage information flow, assign tasks and track progress, all while automatically documenting every crisis-related activity, communication, video, and any other digital assets or resources employed. These kinds of documented materials are an invaluable resource for assessing and improving both the plan and the team. Cybersecurity people should be integrated into this kind of mobile app to streamline and coordinate all IT department communications and activities with the organizational response team.
Most organizations’ IT departments have at least some cybersecurity safeguards in place. Some may even have state-of-the-art measures in place, as well as know how to respond to any cyber contingency. But to be maximally effective, cybersecurity measures have to interface effortlessly via technology with an entire organizational system of crisis management to achieve optimal incident management.
There’s one more essential component of optimal incident response and management. The three-component core and its coordinating technology must reside within an organization-wide culture that makes incident awareness a high priority for everyone. Every employee, at every level, must understand their role as part of the organization’s eyes and ears – its early warning system. If they see or suspect that something is amiss, they should know how to act – and how to report it.
The five steps we recommend here will not be easy to achieve in many organizations since they could involve changing long-entrenched organizational structures. However, in order to successfully meet the growing challenges of more and more sophisticated cyberattacks, the effort must be made. Nothing less than the very survival of the organization is at stake.
About the Author: Michael Sher is CEO and founder of Groupdolists, a purpose-built provider of advanced incident management solutions. He has been building tools for the emergency and incident management markets since 2001, when he co-founded Send Word Now in New York City immediately following the incidents of 9/11. He also founded Centrallo, which powers Groupdolists in 2013, to help teams responsible for the safety and security of people, assets, brand, supply chain and reputation, to instantly take control of any unexpected disruption.