By Richard Frost, Head of Consulting: Cybersecurity at Armata
The concept of a crisis and how to manage it isn’t foreign to anyone running a business. Something untoward happens, it affects the business and then there are a host of effects ranging from revenue loss, reputation management and compliance questions. There is no doubt that doing everything possible to prevent the crisis in the first place and then having a very carefully drafted playbook to activate an appropriate crisis response places a business in a far more favourable position than if it had no plans in place and is reacting in the heat of the moment.
The very idea can give CEOs sleepless nights. Now, consider that we live in times where cyber attacks are increasing at breakneck speed and that everyone is a potential target. It is plain as day that every business needs a cybersecurity playbook. Typically, a playbook relates to things you want to standardise and in this instance, it refers to how a business prepares and shores up its defences, as well as how it standardised its incident response procedure according to best practice in a way that results in the least amount of damage to the business. Some of the most well-known businesses in the world, including in South Africa, have fallen victim to breaches. Even if the data damage was minor in the greater scheme of things, they have suffered immense reputational and regulatory damage in the form of fines.
Just who are these threat actors? There are those who are in it for the money alone, others who are state-sponsored, some are driven by ideology and some may even be disgruntled staff in your own organisation. In some of the most malicious attacks, competition businesses pay threat actors to bring down a business’s systems to benefit their own.
How do they achieve their goals? If you pay them a ransom, they make money. If you don’t, they will make money selling your data. They become vindictive and will widely publicise the extent of your data breach. Of course, if you did pay a ransom you will be attacked again because the threat actor knows you pay. Often, as Armata, when we are called in to do an assessment of an environment after a breach we find that the threat actors have built a backdoor for another attack at a future date. Most times, we find many more areas of vulnerability that no doubt sophisticated hackers would also have spotted.
With this in mind, let’s take a closer look at what a cybersecurity playbook entails. It is a blueprint on how to react to the crisis with a clearly defined procedure. The incident response team is only one aspect. A proper computer security incident response team (CSIRT) process will include the C-suite and other vital team members, such as those who are responsible for the day-to-day operations, dealing with stakeholders and customers, someone from the legal department, the heads of IT and people who look after the various systems, and marketing and communications. The playbook has clearly defined functions and responsibilities for each of these people.
By way of example, suppose there has been a ransomware attack. The response may look like this:
The attack has only locked us out of our systems, and we can concur that no data has been stolen. The only impact is that it has affected the running of the business and so we either need to restore our systems or pay a ransom. Legal says, yes we have not lost data so we do not need to report to the regulator about a POPIA breach, but it is advisable to let them know that we have had a ransomware attack and that we are looking at bolstering our security to stop it from happening again. The CEO asks what would happen if an employee lets the news out and the story gains legs of its own, and so suggests that the business announces the attack publicly, and frames it as a business-impacting event where no customer data was stolen and that it is business as usual pending the restoring of systems. The communications and PR team draft the statement and reactive holding statements and manages potential media enquiries. The business then engages a cybersecurity expert business to come in and run pen tests, analyse the system, and make recommendations on beefing up security and fixing vulnerabilities, or to take over the duties of a managed services arrangement.
The above is only surface-level for illustrative processes but it is useful in explaining the scope of a cybersecurity playbook. Every organisation should take a moment to look into its own cybersecurity strategy and incident playbook and make sure that it has invested the type of attention it deserves.
Consider that if an organisation is attacked and the regulator finds that it did not take all reasonable steps to protect its systems, it could fall foul of compliance and be liable for massive fines and reputational damage. Whereas, if the business had been working with an expert partner, those questions would have already been dealt with and the incident response would have been managed correctly. Always seek out a partner that has experience, across industries and organisation sizes, so that you can get the best possible advice and service to protect your organisation and your customers’ data.