Headlines every day demonstrate that every business on earth will have a cyber intrusion. It’s really a matter of when, not if. Depending on the type of industry a company is in, it could be at risk from a nation state, rogue criminals from inside or outside the U.S., kids, its own disgruntled present or past employees, and current employees who open a phishing email. Some companies fend off dozens to hundreds of attacks a day.
It’s now time for all businesses to develop a reasoned and thoughtful cyber intrusion plan to protect their assets. In April 2015 the Department of Justice Cybersecurity Unit published its “Best Practice for Victim Response and Report of Cyber Incidents” which includes the following topics:
I. Steps to Take Before a Cyber Intrusion or Attack Occurs
- Identify Your “Crown Jewels”
- Have an Actionable Plan in Place Before an Intrusion Occurs
- Have Appropriate Technology and Services in Place Before An Intrusion Occurs
- Have Appropriate Authorization in Place to Permit Network Monitoring
- Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident Management to Reduce Response Time During an Incident
- Ensure Organization Policies Align with Your Cyber Incident Response Plan
- Engage with Law Enforcement Before an Incident
- Establish Relationships with Cyber Information Sharing Organizations
II. Responding to a Computer Intrusion: Executing Your Incident Response Plan
- Step 1: Make an Initial Assessment
- Step 2: Implement Measures to Minimize Continuing Damage
- Step 3: Record and Collect Information
- Step 4: Notify
III. What Not to Do Following a Cyber Incident
- Do Not Use the Compromised System to Communicate
- Do Not Hack Into or Damage Another Network
IV. After a Computer Incident
Of course every industry has its own unique issues and requirements, here are some issues for you to consider:
- Have you created a Cyber Intrusion Disaster Plan that will help guide you?
- Since 47 states require reporting to affected individuals, are you prepared to respond? Or if affected individuals are in other countries, what laws may apply?
- If you process credit card transactions under the PCI DSS (Payment Card Industry Data Security Standards) are you familiar with the Forensic Investigation requirements?
- Regarding company data:
- Where does your data reside?
- Where do the backups reside?
- What data is in the Cloud?
- What country’s laws apply?
- What protections does your data/Cloud provider afford your data, and what does it do for your if there is a breach?
- What have you done to train your employees to avoid phishing emails that may lead to malware?
- Do your CIO (Chief Information Officer) and CISO (Chief Information Security Officer) have seats at the executive table? And what have you done to learn their techno jargon?
- Do you have cyber insurance, and if so, how much and for what threats?
- Does your Board understand enough about cyber threats to oversee management?
These are all important questions to consider. If you would like to discuss your Cyber Security planning, please let us know. We would be happy to help.
Partner Peter S. Vogel is the chair of Gardere's Internet, eCommerce and Technology Team. For more information, contact Mr. Vogel at firstname.lastname@example.org or 214-999-4422.