EXPERT OPINION: If we fail to prepare, we prepare to fail
When it comes to incidents or major outages, most senior leaders believe that it is a question of when, not if, it will happen to them. Therefore, it would surely make sense to prepare for the worst. What is often the case, however, is a severe lack of preparedness. There are even cases where no real preparation has happened at all. Unsurprisingly, the consequences can be disastrous, with the only possible mitigation being a large slice of luck. And good luck quantifying that in your risk register(!)
A major incident, sometimes called an extinction level event, can ultimately ruin a business or businesses.
What if the incident caused many other organisations to have their own incidents as well. This makes a lack of planning, preparation and practice tantamount to negligence. Additionally, the effort involved in recovery when something major does go wrong is considerable. Instead, businesses could choose to reduce the required effort by putting in the leg work early. The key here is knowing the answers to many important questions before an incident occurs – helping to not only reduce the effort required to recover, but also increasing the chances of a successful recovery. Such preparation has the added benefit of putting less stress on the teams involved in that recovery work: imagine being able to stay cool under pressure because you already know that the right processes are in place.
So, what can security teams do to prepare?
ISF Members have access to a number of resources that can help a business plan ahead. Extinction Level Attacks: A survival guide takes a phased approach of “Prepare, Respond and Resume”. ‘Prepare’ is the focus here. Elements include understanding the business and its technology stack, and answering the critical questions, knowing the key factors to help respond to an incident. Knowing the answers up front will allow for a quicker response and enable rapid decisions to be made at the most vital point of an incident – the beginning.
Creating a plan that can be followed in the case of a major incident is an important and necessary task. But the glue that holds all these plans and phases together is testing; theory does not always match reality. Performing cyber security exercises is a must for any organisation that wants to continue operating after a major incident, and going through multiple scenarios is the best approach. This tests not just the response plans but also the relevant employees to make sure that recovery is a likely option. This enables the business to not only adjust deficient plans and processes, but also helps employees have confidence that they can follow the adjusted plans accurately with a high chance of success. This confidence will be useful if the worst does ever happen.
A couple of extra tips when testing incident response plans include:
- Bringing third parties who are part of the technology stack into incident response plans, as it can be critical to understand how they will react to and interact with your responders.
- Making sure that any responders who may need to go to a specific site or location have visited it before, ensuring there are no shocks when their focus is really needed. Imagine having to put on a hazmat suit to help the recovery process, despite having never worn one before.
It is vital to have the right information to hand prior to an incident occurring. Make sure you have a solid plan for responding to an incident and how to resume normal operations once the incident is over. And finally: test, test, test. Iron out any kinks in those response plans before you need to use them.
You never know when a major incident will occur, so if you haven’t already, start preparing for it now.
Over the coming weeks, the ISF will be demonstrating how its research and tooling can help Members to understand and improve their business’ resiliency, providing advice and guidance on how best to prepare for, and anticipate, future threats to their business operations such as the one observed recently.
Complementing this are our award-winning consultancy services, available to Members and non-Members alike, providing organisations with the help and support they need to translate technical insight into a clear business-focused delivery plan.
MEET THE AUTHOR
Paul Holland MCIIS CISSP is a former Security Leader, and Head of Research at the Information Security Forum.