You might have heard the "with cybersecurity, it isn't a matter of If, but When" cliché. Unfortunately, the phrase is popular for a simple reason: it's true. The harsh reality is that at some point in your company's lifetime, a cyber incident will happen.
Over 6,000 businesses across the globe suffered a cyber breach last year. Perhaps yours was one of them, or perhaps it will be. 7.9 billion records. Over $23,500,000,000 in losses.
As many individuals associated with the abovementioned companies realized post-factum, whether you are a C-Suite exec, a VP, or a mid-tier manager, in current complex business environments, any one of just about a million things can make your day a very, very bad one. Let us name a few:
Your employee clicked on a malicious attachment, and stealth malware got downloaded onto their computer. Then it spread throughout the network, disrupting operations, or exfiltrating sensitive data.
Someone in your organization accidentally entered their credentials on what appeared to be a legitimate work-related website, which were then used to authenticate into your company's email server.
A disgruntled employee leaked millions of records containing the entirety of your customers' sensitive data.
A sophisticated threat group DDoS-sed you out of business at 200 GB/sec until you agreed to pay exorbitant ransom amounts in Bitcoin
We can go on, but you get the idea: prevention is not a bulletproof strategy, and it doesn't play well when one day you see a ransom note pop up on your laptop.
An actual CISO's reaction to a ransomware note
Obviously, having a well-actioned Cyber Incident Response Plan is a very good idea on a number of levels, but we decided to list three consequences of not having one anyway.
You Will Be Non-Compliant With Your Industry's Regulations
Many regulatory bodies want your risks to be as low as possible, and sensibly require applicable companies to have a mature and actionable Cyber Incident Response Plan, complete with highly detailed scenario-specific playbooks, escalation procedures, roles and responsibilities, contacts, and much more.
For example, PCI DSS Requirement 12.10 obligates entities to “Implement an incident response plan" and to "be prepared to respond immediately to a system breach.”
Guidance in this PCI DSS requirement notes that this should be a “thorough incident response plan that is properly disseminated, read, and understood by the parties responsible.” It should include proper testing exercises at least annually to ensure the process works as designed and to mitigate any missed steps to limit exposure.
PCI DSS is not alone in its efforts to mandate companies to be prepared for a cyber crisis, with non-compliance leading to audits, fines, denial of service and other typical punitive measures.
Your Incident-Related Losses Will Increase Dramatically
While it is difficult to say exactly what kind of financial impact not having an Incident Response Plan versus having one has without knowing some specifics, it is safe to say that a successful Response program can not only significantly limit the damage, but also help avoid it altogether.
The key operating principle in enterprise architecture and systems engineering is based on the assumption that systems or components have either been compromised or contain undiscovered vulnerabilities that could lead to undetected compromises. Additionally, missions and business functions must continue to operate in the presence of such compromise.
This drives measures like business continuity, disaster recovery, failover and other crisis management initiatives that have long been accepted as the norm, and in the modern business environment, Cyber Incident Response is a key component of each. The advantage of being able to identify, triage, contain, and eradicate a threat early on is hard to overestimate.
Your Shareholders, Vendors, Business Partners, and Customers Won't Like It
Risk-vs-reward calculations are a core business concept. A growing awareness of the volatile cybersecurity environment we all operate in, and an understanding that businesses operate in a complex ecosystem of interdependencies, is causing everyone from investors to national defense professionals to declare combating cyber threats a Priority #1 item for private and public organizations.
In a world where companies fail to secure their infrastructure, making "Massive Data Breach" headlines a daily occurrence, your shareholders, customers and third parties associated with your organization will thank you for being diligent while keeping their best interests in mind and will repay with loyalty and further prosperity for your business.
Episode 3 may have ended differently, had the Jedi considered an Insider Threat scenario
As a closing statement, we'd like to point out that procrastination lies at the core of human nature, especially when people aren't quite sure of the right way to approach a task.
But when it comes to creating an Incident Response Plan, the time to develop one is before a security breach occurs. Give it a thought!