28 6月 2021
Crisis Management - Cyber Security
5 Steps You Can Take Today to Improve Your Organization’s Cybersecurity Preparedness
- Critical Cybersecurity Elements: Ensure that your organization is aware of changing regulatory attitudes to the most critical cybersecurity elements (e.g. multi-factor authentication, endpoint detection and response, encryption and vulnerability patching) and has implemented them in line with an informed and agreed risk appetite.
- Audit: Understand what internal and external audit reports say about your organization’s security posture, including when benchmarked against peers. If you have implemented the critical cybersecurity elements, use audit to ensure that the implementation is truly across-the-board, as this is often not the case. Hackers hunt for vulnerabilities and seize upon them.
- Tabletop Exercises: By now you should have a clear incident response plan for cyber incidents, including a clear communications and decision-making framework. But if the executives have not been through a simulation in which the company is taken through an incident, the plan may not be helpful or realistic. Plan a session in which the Board/C-Suite (and those advising them) participate in a tabletop exercise. Ask the hard questions, like who signs off on whether to pay a ransom or not.
- Incident Response Partners: To respond to a cybersecurity incident, you’ll need a technical incident response vendor (not your IT vendor), a law firm familiar with incident response, a public relations firm, perhaps a ransomware negotiation firm, and perhaps a client notification firm. Picking these firms and negotiating contracts with each of these takes time, and spending that time before a crisis arises is highly recommended.
- Legal and Regulatory: Invariably, a breach involves notification to third parties and regulators. Although most organizations will not undertake a proactive, drains-up approach to cataloging 100% of their notification requirements, it makes sense to understand key obligations and how you would approach them in practice. Now is the time to understand your regulatory, contractual and other notification responsibilities and priorities.