Cyber Incident Readiness: 3 Common Blind Spots to Watch For

Listen to the audio version:

The Alliant Cyber team has spent a great deal of time speaking with clients about cyber incident readiness. Over the years, we have worked closely with organizations across the globe on preventing cyber incidents, attacks and breaches, as well as shaping their response activities during active cyber attacks and incidents. 

Over time, the team has observed three common blind spots for cyber incident readiness, which are unfortunately still quite common. Organizations tend to immediately focus on core technical security controls and capabilities, such as endpoint protection and response technologies, data backup and recovery processes, and technical security monitoring and alerting across the environment.

While these core tenets of cyber incident readiness are indeed critical to any organization’s cyber incident response plan, an undesirable side effect of focusing too heavily on these technical capabilities is that certain other areas and capabilities are frequently overlooked.

Three Common Blind Spots in Cyber Incident Readiness

1. Communications

 If you speak to enough organizations and leaders who have gone through real cyber attacks, there is one area that is frequently cited as being an unforeseen challenge during the incident response process: communication. For example, organizations will often not account for the need to have “out-of-band” communication protocols and processes during instances where their normal means of communication are unavailable. Additionally, many organizations do not plan proactively for an integrated approach to communication with staff, organizational leaders, clients and business partners during an incident, and this can lead to confusion and inefficiency.  Unfortunately, weak spots in communications can also cause significant missteps and costly errors in cyber incident response.

Our Recommendation

Establish foundational communication plans for the most likely cyber attacks, including roles & responsibilities, communication methods and standardized, pre-vetted communication templates.  Link these communication elements to respective areas of the organization’s cyber incident response plan.

2. Resources

In advance of a cyber attack or incident, organizations are typically aware that they will need core IT and security resources available to work on certain aspects of the incident response process. One of the blind spots we see is many companies do not account for impact on other key business functions, departments and teams across the organization during a cyber incident.

This is particularly acute during a cyber attack or incident that causes a significant business process disruption. For example, will the organization’s customer service teams have the resources necessary for offline processes? In the case of a transaction-heavy environment, if the company is forced to operate manually or “offline” for a period of time, will there be enough resources available for manual data cleanup and reconciliation? What about weekend or after-hours coverage during a significant incident?  Additionally, does the organization have a plan for obtaining interim or temporary “swing” technology assets and systems, when and if significant portions of the IT infrastructure have to be rebuilt?

Our Recommendation

Develop a contingency resource plan for critical business and operational functions, in addition to core IT and security resource plans. Be sure to include resource considerations that are likely to impact the organization during a significant business process disruption event caused by a cyber attack or incident.   

3. Third Parties

One of the things that frequently takes organizations by surprise during a significant cyber attack or incident is the need to obtain expert and specialized external subject matter expert resources. Examples of specialist expert resources that are commonly needed during a cyber incident include:

• Digital forensics/incident response (DFIR) firms
• Specialized legal counsel/breach coach firms
• Ransomware negotiation firms
• Law enforcement
• IT recovery services firms

In the event of a cyber attack, the timeline and urgency for engaging these resources is always extremely critical, and many organizations unfortunately find themselves ill-prepared to engage quickly with these expert resources when they are needed most.

Our Recommendation

The organization should take a holistic look at the most-likely expert resources and third parties that may be needed during a cyber incident, including legal, DFIR, eDiscovery and law enforcement.  As part of this initiative, the organization should collaborate with its risk manager and insurance broker/carrier to ensure that third party partners are selected who optimally align with any existing cyber insurance policies, including service provider panels associated with those policies. 

Alliant Can Prepare You for Cyber Incident Readiness

To be effective, organizations must take a truly integrated and dynamic approach to cyber incident response planning & readiness. This involves taking a fresh look at the organization’s existing cyber incident response plans and measures to check that there are no significant blind spots, and that the organization is well-prepared for a significant cyber attack or incident.

Unfortunately, malicious cyber threat actors are continuing to target organizations across all industry sectors.  At Alliant Cyber, we are committed to assisting our clients in remaining vigilant and partnering with them on driving better cyber resilience and readiness, including cyber incident response plan development, tabletops and a solid framework of practices, resources and controls for better cyber risk management in the face of emerging threats.