Chief Operating Officer for Castellan Solutions, the largest provider of business continuity and operational resilience solutions.
When Colonial Pipeline was forced to shut down its 5,500 miles of pipeline after being hit by a cyberattack in May, it impacted more than just your daily commute. What followed was a temporary gas shortage caused by panicked Americans and a major disruption not only for Colonial Pipeline but also for organizations that rely on the top pipeline operator’s fuel supplies — all because of a ransomware attack.
“The shutdown of such a vital pipeline, one that has served the East Coast since the early 1960s, highlights the vulnerability of aging infrastructure that has been connected, directly or indirectly, to the internet,” the New York Times reported. Ultimately, this disruption demonstrates to me the importance of not only preventing cyber attacks such as ransomware but also the importance of maintaining the capability to respond to such an attack.
An effective response capability should leverage robust business continuity capabilities to help alleviate the impact and keep the organization well-positioned to meet the demands of the market and its customer base. With cyberattacks impacting organizations all over the world, most of which fail to grab headlines, I often hear combinations of the following worries:
• “It’s not a matter of if but when a cyber disruption happens to my company, and I’m not really sure how we are going to work through it.”
• “I am told we are ‘ready,’ but I have not seen concrete outputs to really know how we would respond to an actual event.”
• “I am confident about being able to technically respond, but I am not sure how to coordinate the response well across the rest of the organization.”
With the recognition that a successful cyber attack is largely inevitable, business leaders are in search of two overarching needs: First is clarity on what actions the organization needs to take now to proactively build cyber response capability for a future need; second is confidence in the organization’s ability to respond to and recover from a cyber incident in a way that minimizes impact on the market, customers, employees and other stakeholders.
Here are the core elements that organizations should be pursuing when it comes to creating an effective cyber response capability that you and your key stakeholders can confidently depend upon:
1. Establish a level of capability needed. Everyone is at risk of a cyberattack, though some are more than others. Additionally, the impact of a cyber attack on one organization can be more impactful to the customer or public in general when compared to others. As a result, do you need a “good,” “better” or “best” cyber response capability? When it comes to a successful cyberattack, few organizations tolerate anything less than “good.”
2. Create focus on what to protect. Not everything an organization delivers and does is equally important and time-sensitive; certain products, services and supporting business processes are more important than others. Engage leadership in a scoping and prioritization discussion, use voice-of-the-customer techniques and, as appropriate, talk to regulators regarding impact and expectations. From there, assess when the loss of these key products, services and processes result in catastrophic consequences for the organization, the market and its customers. Use this information to set a downtime tolerance. This assessment effort will influence investment in prevention as well as cyber-response capabilities.
3. Take inventory of what you have. Regardless of the level of cyber-response maturity is needed in your company, most organizations have formal and informal capabilities in place to respond (and many have gaps as well). Some of the key capabilities to evaluate include:
• Data backup and replication processes;
• Monitoring approaches;
• Cyber insurance;
• Third-party relationships, ranging from forensics firms to negotiators to specialized outside counsel;
• Law enforcement engagement processes;
• Incident management and crisis communications capabilities.
4. Build a leadership and technical response strategy. A cyber attack is not just an IT issue; it’s a business issue. As such, organizations must invest in leadership and technical response strategies, including training teams and creating plans, to deal with a successful cyberattack. Some of the core elements include clear roles and responsibilities with trained, competent people (both leadership and technical), designated authority to act, internal and external notification strategies and capabilities, third-party engagement approaches, processes to capture and retain evidence, and the ability to recover end-user devices.
5. Train, test, iterate. As noted, competent people are essential to a successful response. Role-specific and team training programs are essential, as are exercises that work to closely resemble an actual response. Putting leadership and technical teams through real-life scenarios is the best way to create key competencies and reinforce key actions through trial and error in a safe environment while also highlighting vulnerabilities and opportunities for improvement. Beyond exercises focused on building skills and experiences, technical tests that focus on successfully recovering applications and data are essential as well. Collectively, training, testing and iteration not only creates competencies and capabilities but also a third “C”: confidence.
One important thing to keep in mind is that the industries and types of businesses hackers target can shift constantly, so it is naive to use the excuse, “It’s never happened to me or someone in my industry,” as a reason to avoid preparing a cyber-response capability. And the pandemic has shown that state actors and cybercriminals are taking advantage of new vulnerabilities. Remote workforces, as an example, have provided new opportunities for criminals to infiltrate businesses that range from small- and medium-sized companies to the largest of healthcare organizations, government agencies, higher education institutions and more.
In 2020, there were more than 1,000 reported cyber breaches affecting almost 156 million individuals through data exposures. No industry and no person is immune. All it takes is for one employee to open one email to start a cyberattack that brings an entire organization to a close. However, the core elements above are your roadmap to being one step ahead in minimizing impact should a successful attack occur.