“At two-thirds of organizations, there is a fear that almost all employees, 95%, will not understand how to recover following a cyberattack.”
Why this is important: In past editions of Decoded, we have discussed the importance of having policies and procedures in place in the event of a cyberattack. It is easier to plan and prepare when things are calm than to react to an emergent situation when everything is chaotic and people are in a panic. Two-thirds of organizations fear that their employees will not be able to function effectively following a cyberattack. Leadership may believe that because they have a policy or procedure in place for how to respond to a data breach that they are prepared for one. Experts are finding that may not be the case.
It is not enough just to have a policy and procedure for how to respond to a data breach and keep operations afloat. You must have frequent training to instill the knowledge conveyed by those policies and procedures in your employees. However, a report by Immersive Labs states that such training is not happening often enough. This includes training your team regularly on the company’s data breach response plan. This is a document detailing how the company will respond in the event of a data breach, and it should initiate the process for identifying and containing the breach. However, if employees are not properly trained on it, then it will not be effective.
In creating the data breach response plan, the first step is to conduct a risk assessment and identifying what would constitute a breach. The plan should also identify what would be affected by a breach, including data, people, applications, and systems. The data breach response plan should include the following:
- Identify the response team and its members – You need to create the nucleus of the organization who will be tasked with responding to the data breach, and identifying each role. This team should be interdisciplinary and include members of the executive team, human resources, IT, legal (both inside and outside counsel), marketing, and communications.
- A contact list – In the event of a cyberattack, your company should have a contact list of everyone who needs to be contacted in the event of the breach, and when they need to be contacted. This list should include regulatory authorities, legal counsel, insurance providers, cybersecurity specialists, IT providers, and PR.
- A communications plan – You should have prepared statements ready for various stakeholders in your organization, including customers, employees, and the media. This should be an adaptable plan that takes into consideration when and how statements should be released.
- A data recovery plan – You need a plan for how and in what order critical systems and data can be recovered in the event of a ransomware attack. This includes making the decision before such an attack whether the company will pay the ransom or not. The federal government recommends that a company not pay the ransom because payment only encourages additional attacks throughout the economy. If you have sufficiently prepared for a ransomware attack, including adequately backing-up your data, then the decision on whether to pay a ransom or not is easier to make.
Creating the plan one time is not sufficient. Threats change and staff turns over, so the data breach response plan has to adapt as well. As part of the plan, you should incorporate at least annual reviews and updates for the date breach response plan.
It is not enough for company leadership to have a data breach response plan created and believe that is all that needs to be done. Creating the plan is the first step and now you have to train your team on it. Regular training for your data breach response plan is critical. Additionally, periodic meetings of your response team and outside support vendors, including legal counsel, is advisable so that they are all familiar and comfortable with each other, which will facilitate better coordination in the event of a data breach. Finally, your organization may want to set aside time each year to wargame a data breach to practice your team’s response to various scenarios.
Governmental regulators and your insurers are watching, so being proactive on implementing a data breach response plan -- and training your staff on it -- is critical. Regulators are increasingly holding companies responsible for data breaches if they fail to properly protect customer data. Penalties for failing to sufficiently protect customer data, or to notify them of a data breach, can be significant. Additionally, insurance providers are requiring these types of plans and training in order for your organization to obtain cybersecurity insurance. Finally, company executives are being held personally responsible in lawsuits that allege that they failed to uphold their fiduciary duties to the company and protect it against financial and reputational damages that a data breach and an improper response can create. Therefore, it is not only necessary to create cybersecurity and data breach policies and procedures, but to also to regularly train your employees on those policies and procedures. If your organization needs assistance with the creation of and training on cybersecurity policies and procedures, please contact a member of Spilman’s Cybersecurity & Data Protection Practice Group for assistance. --- Alexander L. Turner
Dallas Courts Still Closed 2 Weeks Post-Ransomware Attack