As of late, an unfortunate reality is that it’s no longer “if” a cyber incident will occur, but a matter of “when.”
A survey of information technology professionals conducted by cybersecurity company Kaspersky found 91% of their companies have been affected by attacks in the last year, while 45% admit they’re under-prepared. No one is immune — companies of any size and in any industry can fall victim to a cyberattack. Incidents in health care, financial institutions and retail may be more widely publicized, but we’re now seeing an increase in attacks across all sectors, including manufacturing, real estate and construction. Consequently, it’s vital for executives, management personnel, legal and IT leaders in all industries to understand and help combat cyber risks so they are better protected for the “when.”
Here are steps businesses can take to prepare for and address a cyberattack.
Preparing in advance
The key to preparing for a cyberattack is developing a cyber incident response plan with buy-in from C-suite leaders and department heads. The plan, which must be updated regularly, should include the granular details and necessary steps to take when an attack hits. Key stakeholders from IT, management, legal and communications will likely be involved in addressing the incident and should be identified in the plan with roles and responsibilities pre-assigned for rapid response
Additionally, having a cyber insurance policy in place will provide the necessary protection, should an unfortunate incident occur. Cyber policies are put in place to help pay the costs associated with an attack, including first-and third-party expenses.
First-party coverage funds the costs associated with responding to a breach, which include a breach coach; forensic investigation; public relations; notification process based on state laws; credit monitoring or call center management; data restoration; lost revenue from business interruption; extortion demands and social engineering fraud expense. Defense and damages from third-party lawsuits should be covered under the third-party expenses.
A good incident response plan should dovetail with the cyber policy, meaning the response plan should list the “pre-approved” providers that can be used during any breach response effort. If an organization incurs expenses from vendors that are not on their insurance carrier’s approved “panel,” the organization could minimize their insurance recovery.
Most importantly, policies often incorporate ancillary and complementary services to help the company prepare for and prevent cyber incidents. This can include employee training on “phishing scams,” system vulnerability testing and evaluation of the current breach response plan. Taking advantage of these services should help improve the organization’s cyber posture and possibly prevent an incident in the first place. Ensuring protection with a cyber policy is the wise thing to do and is a critical part of a comprehensive risk management program.
Responding to an incident
If it is determined that a cyberattack has occurred, employees involved in the cyber incident response plan should be notified immediately. The company should then contact the breach coach, insurance carrier and insurance broker to report the attack and get prior approval for the expenses they expect to incur. Simultaneously, the IT department must engage a forensic investigation firm (an “approved” vendor, predetermined by the cyber insurance carrier) to identify the source of the attack and get it contained as quickly as possible, so it is not prolonged or exacerbated.
Once the attack itself is addressed, an assessment should be done to determine the damage and severity of the incident and communicate this to internal and external stakeholders. Engaging a public relations firm to properly craft the message is an expense that would be covered by a cyber policy.
The organization should make sure all employees have a working understanding of the situation and a clear communication strategy so they can direct any external questions from clients and reporters to the proper communication response team. This can help minimize any reputational harm to the organization. For example, if the organization lost customers’ credit card information, they would need to then notify the affected individuals in compliance with the state laws in which they reside, not where the organization is headquartered.
The incident response team should continue to engage a cyber coach and a law firm, as they can assist with navigating the privacy laws that must be complied with and the regulatory landscape in which the organization operates. Depending on industry and severity of the event, providing credit monitoring services and managing a call center may be required and can be covered in cyber insurance policies.
When all stakeholders are notified of the incident, recovery efforts can be rolled out. This may include recovering and/or recreating any data that was destroyed. It would also involve identifying weaknesses in the computer system and working to address those deficiencies. These costs to improve the system are typically not included within most cyber policies, but some of the broadest policy forms in the market may provide some coverage for “system betterment.”
Preventing a future attack
Having to deal with a cyberattack is unfortunate, but the good news is there are steps that can be taken to prevent future attacks. We recommend training employees on information security, like what to look for in phishing emails and how to practice strong password hygiene. An example of this is regularly sending a test phishing email to all employees to see how many make the mistake of clicking the “bad” link. Offenders can receive follow-up training that is more intensive.
Often overlooked but equally important is assessing the cyber maturity level of third-party partners who could serve as a gateway to the company’s network. Think: marketing or advertising agencies, software vendors and pretty much any third-party vendor that does business electronically. Asking these vendors to fill out a cybersecurity questionnaire could tell a lot about their organizations and whether they could be a potential threat. Finally, we stress the importance of testing, testing and more testing! Stress testing the organization’s incident response process can identify potential problems and apparent gaps in training before they’re tested by a cybercriminal.
The minutes, hours, days and even weeks or months following a cyberattack are hectic, so preparing ahead of time is crucial to dealing with and recovering from an incident. Cybersecurity is no longer just an IT issue — it must be a company-wide concern, with C-suite leaders, management, legal and IT departments collaborating to ensure organizations are compliant, protected and well-positioned when a cyber incident occurs.