Dealing with a cyber-attack? Six common pitfalls companies should avoid when handling a security crisis
Managing a cyber crisis is one of the most challenging and stressful aspects of a CISO’s job. Aside from the actual challenge and stress of trying to handle a security incident and help your business successfully recover and rebound, far too many security leaders’ work is made exponentially worse by falling into a number of common pitfalls. Luckily, you can avoid these pitfalls if you know what to look out for.
Based on our experience working with businesses across various sizes and industries, we’ve developed a list of the six most common pitfalls that trip up organizations and how to avoid them.
Table of contents
1. Lack of preparation
Hands down, the biggest pitfall organizations face when dealing with a cybersecurity crisis is arguably the easiest to prevent: preparation. Not effectively preparing for a cyber crisis like an attack or data breach only sets up your security team and business for failure.
It means that when a crisis occurs, you are already behind and cannot act judiciously or confidently enough to successfully investigate, contain, respond to or remediate the issue. Further, not being prepared for possible risk scenarios often leads to confusion and mistakes, which can open up your organization to asset loss, financial liability and reputational damage.
CISOs should start planning for cyber-attacks and data breaches as quickly as possible – ideally within their first few months on the job. The C-suite and board should not expect plans to cover every possible scenario, but they should work with their security leaders to help make sure their organization has a basic cyber incident response plan in place. These plans should be regularly reviewed and revised as necessary to ensure they are still relevant and account for any new security gaps to be effective.
2. Relying solely on technical solutions
Technical solutions such as firewalls, endpoint security detection and antivirus software are essential tools for any modern organization, but they cannot solely prevent cyber incidents or data breaches. For example, while EDR solutions cover detection and response, security teams are still responsible for applying patches and providing secure configuration for systems.
Security and IT operations teams also cannot rely solely on external partners; simply implementing a vendor solution will leave gaps in your organization’s security. This is especially true among smaller businesses who lack the resources to implement their own security measures.
CISOs and their team need to take a holistic approach to cybersecurity that addresses not just technology solutions, but also policies and processes as it relates to data and network access. This includes taking into account human factors, which means conducting regular cybersecurity awareness training so employees understand the important role they play in helping to keep the business safe.
3. Failing to identify the scope of a cyber-attack or breach
Companies often underestimate the scope of a cyber-attack. Particularly when it comes to small and medium-sized businesses, it may be because it’s their first time experiencing one so there is a lack of awareness as to how impactful the attack could be. Many often also lack the resources to implement comprehensive security measures, have a fear of legal or financial liability or are solely focused on the immediate response. That’s why in the wake of an attack or breach, it is essential for security teams to conduct a thorough investigation to determine the method of the attack, the systems affected and any compromised data.
Throughout the course of managing an attack and as part of the ensuing investigation, it is critical for the crisis response team to collect all relevant evidence, which can both provide information as to the full scope of the incident as well as prove necessary for an after-action report and in meeting regulatory and other reporting requirements.
Once you have a cybersecurity incident response and crisis management plan in place, it is exponentially easier to feel confident that you and your team have identified the full scope of a cyber-attack or breach.
4. Lack of communication
While it’s number four on our list, a lack of adequate communication can quickly torpedo an organization’s cybersecurity incident response efforts. Internally, the failure to foster an environment of inclusivity and open dialogue amongst your security team and with leaders across the business can exacerbate biases and lead to confusion and low morale. The consequences of inadequate communication with external stakeholders like customers, law enforcement, media and vendors can cause a sense of mistrust that may be impossible to overcome.
As CISO, you are responsible for creating the conditions that make all members of your team feel comfortable asking questions and understanding their role in helping address the cyber crisis and eliminate “groupthink.” You should also work closely with other department heads to ensure they set a similar tone and are communicating effectively with their teams and the employee base writ large.
For a variety of reasons, it is crucial to keep third-party stakeholders informed of the situation and all the actions you and your team are taking. Here, transparency is key. Make sure you’re communicating often and sharing all information collected throughout the process to give partners and others the confidence that your team knows what it’s doing and is doing all it can to prevent something similar from happening in the future.
5. Neglecting legal and regulatory obligations
Small and medium-sized businesses in particular can neglect legal and regulatory obligations. They have fewer resources to fully understand the different rules, are focused on the immediate response to an attack to minimize operational impacts or have a fear of liability. It can also be incredibly difficult for any business to navigate the current patchwork of state, federal and international laws governing the handling of sensitive data and requirements around information-sharing and reporting.
That said, companies have to meet such legal and regulatory obligations to report cyber incidents and protect sensitive data to avoid legal and financial consequences like lawsuits and fines, not to mention negative press coverage.
Companies should do their due diligence to employ experienced professionals, including a general counsel, chief financial advisor and chief risk or compliance officer, to ensure they’re following all regulations and requirements when it comes to cybersecurity incident reporting. Failure to do so could have consequences beyond legal and financial liabilities.
6. Assuming the crisis is over
It’s easy for organizations to assume that their crisis is over once the immediate threat is contained. However, the damage caused by a cyberattack or data breach can last long after remediation.
This is where a post-mortem is particularly critical – it gives you and your team the opportunity to understand the root causes of the incident and how it could have been prevented. It will also help you understand whether there are changes the security and IT teams can make to both your operations and policies as well as the cyber crisis management plan to reduce the chance that a similar incident will occur in the future.
It’s also important to keep in mind that while your organization may have removed one threat and restored operations, the result of how you handled an attack or what data was stolen could linger well into the future. Conducting ongoing patching, keeping customers in the loop and addressing media questions into your organization’s security efforts should not be treated as optional, given that transparency in this phase of a crisis is just as critical as the planning stage.
By understanding these common pitfalls, organizations can better prepare for and manage any cybersecurity attack or data breach – and their aftermath – with confidence.