On October 16, Daniel Cherrin spoke at the Wall Street Journal PRO Cybersecurity Small Business Academy at the Monarch Beach Resort in Dana Park, California. Below is an excerpt from his remarks on Incident Response on a Budget.
“I am convinced that there are only two types of companies: Those that have been hacked and those that will be. Even they are converging into one category: companies that have been hacked and will be hacked again.”
Robert S. Mueller
There are steps you can take right now to minimize risk and avoid damaging your reputation from cybersecurity threats., and it won’t cost you anything.
What are they?
Create a culture of vigilance,
Build the right team,
Know where you are vulnerable,
Prepare to be attacked and,
Get ready to respond.
I don’t want you to take it personally, but most cyberattacks are not targeted.
They target the vulnerable and the unprotected.
It does not matter if you are a Fortune 500 company, a small business, or a lover of AI.
You and I both know it can’t happen to us. The reality is that it will.
The complexities involved in dealing with it are enormous – so we need to really find someone who can help us, and avoid a DIY solution.
I am not sure about the costs – but really, we can’t afford not to make the investment.
While you can’t plan for everything, you must prepare for the next crisis.
I bet, most companies are not prepared. This includes:
Google, Facebook, Under Armour, Adidas, Macy’s, Equifax, Best Buy, Delta, Panera, Sears, Uber, Anthem, DNC, Ashley Madison, JP Morgan Chase, Home Depot, eBay, Target, Adobe, Yahoo, LinkedIn, RSA, Sony.
With data as the newest commodity, there has been an increase of cyber security breaches collecting credit card information, your employees W-2s and even their health insurance… and size does not matter.
Every day we read or hear about the latest data breaches and other crises we as business leaders face.
Yesterday’s cyber-breaches are warning shots sent to companies and governments that they may be next.
According to the Verizon Data Breach Investigation Report,
61% of data breaches hit smaller businesses,
Costing your company somewhere between $84,000 and $148,000.
WHAT HAVE CORPORATE VICTIMS LEARNED FROM THEIR BREACH?
I know those companies have learned a lot and we have a lot to learn from them.
Deloitte recently surveyed the executives following a breach and found that if they had a do over, they would focus more on preparation rather than perspiration.
This includes:
Knowing where you are vulnerable
Create an early warning system
Communicate better
Be prepared
Invest in prevention
Follow protocol
By not being prepared, companies are naked and exposed, remaining vulnerable to loss or destruction of data; disruption for your business, litigation, investigations, and damage to your reputation.
A Four-Step Process to responding to a crises
You may be considered a small business, but you have to think big and protect yourself.
This includes thinking about protecting yourself in Four Stages of Crisis Management.
Readiness
Response
Reassurance
Recovery
In virtually every case, the time we start to think about crisis management is in the Second Stage – Post Breach.
But for any business, we really need to starting thinking about protecting ourselves and our customers before an attack.
So, WHAT IS STANDING IN YOUR WAY?
You know you need it, but for whatever reason, time, money, resources, we have not stepped up to do anything about it.
You can save a lot of time and a lot money if you focus on pre-breach readiness.
Why is this so important?
UPS Capital estimates that 60% of small businesses go out of business within six months of an attack and 90 percent of those small businesses did not have cyber-insurance.
So, LETS START AT THE BEGINNING, and let’s start with how bad do you want your day to be?
To protect the health and safety of your clients, customers and staff while at the same time, protecting your company’s reputation, you can’t afford to be caught off guard.
What are you going to do next to prepare when it is your turn and when are you going to realize that you can no longer ignore the problem of being exposed.
We will never be 100 percent cybersecure, so we need to be vigilant and prepare for the attack.
A majority of companies today, do not have a crisis management plan and do not make it a part of their business strategy.
You can plan and prepare all you want for a crises but even the best plans won’t be followed if you are caught off guard, unless your company creates a culture of crisis preparedness that includes cooperation, collaboration and communication.
CREATING A CULTURE OF CRISIS PREPAREDNESS
Every team member must be on guard for potential threats.
We all need to know what to do if something bad happens and how to minimize the damage.
While we cannot stop the threats, with proper training and a business culture, focused on vigilance and prevention we can limit the action and mitigate any damage should one occur.
How?
Talk about it….A lot. Talk about the latest breach you heard about, ask if it can happen to us and seek input from your staff.
Know the laws and make sure your team knows them too.
Through ongoing communications with key stakeholders you can be pro-active and responsive to issues before they become a crisis.
In monitoring the media, the competition and others in the industry, not just in the US, but globally, you can be better informed.
Before anything happens we should know the right people in government, law, finance, IT and the media. This includes knowing our customers and having solid strategic relationships with them, while building goodwill with others.
Training and knowing where your reputation is at risk, where you are vulnerable and how you can work to minimize your risk and exposure.
By recognizing the work of your employees, you can highlight the importance of being vigilant and value those that take the necessary steps to protect our customers and our company….Why is this so important?
Our employees are our weakest link
A recent report from Intel stated that 43% of network security breaches were a result of an internal actor. Half were intentional and half were accidental.
Update your policies and procedures
Knowing now that you are at risk, it is important to have the policies and protocols in place to help guide the rest of your company in becoming just as vigilant as you.
Therefore, you should update your company’s policies and practices, host trainings and find other ways to engage your staff in being your eyes and ears looking out for issues of concern.
Policies to update or create include:
Social media policy
Incident reporting
Safe browser use
Acceptable use
Conflict of interest
Data protection
Password policy
Privacy
Travel Policy
You need to also revisit your insurance policy related to cybersecurity and other breaches, including when that policy requires you to notify others of a potential breach, and whether or not they have the consultants to support you.
They may even have the resources to come into your company and train your employees or help revise these policies.
THE TEAM, THE TEAM, THE TEAM
Creating the culture starts at the top, with your company’s executive leadership team, reinforcing a culture of vigilance, preparedness and responsiveness.
So, start to assemble the team to help think of areas where you are most vulnerable, so you can start to prepare for the inevitable crisis.
It important to bring together the right people who can respond, quickly and strategically.
So, who is that?
Internally, that could be your: CEO, CFO, COO, CISO, CLO, CMO, department heads, outside legal counsel and an outside PR or crisis management firm.
If you do not have a CIO, CMO or CSO, or even a lawyer on staff, you need to find the outside consultants who can fill those gaps.
Having a team of professionals, skilled in key disciplines, coupled with the right relationships, with the ability to remove themselves from the chaos and offer their unbiased advice is crucial in any crisis.
If you can imagine it, they can do it. If you can’t think about it, they are already working on it.
With your team in place it’s time you prepare for the next crisis.
Convene the crisis management team to brainstorm all possible scenarios for which you may need to respond.
To help jump start that conversation, start with a few hypothetical questions. You may want to bring in a consultant to lead the discussion and ask uncomfortable questions to see where you are exposed.
Pare down the list of potential issues by identifying those most likely to occur with the largest impact to the company’s brand or bottom line or for which the organization most needs to be prepared.
“As I learned during my time as Homeland Security Secretary, planning, equipping training and exercising are what will prepare you to face unexpected threats.” Michael Chertoff, Former Secretary of Homeland Security
Then let’s test what we learned about ourselves.
The Internet is the new battlefield and just like in battle, you need to practice and prepare to see if your plan works.
Table top exercise and simulations provide the perfect opportunity to test your systems and response, given the crisis.
They will highlight your vulnerabilities and potential gaps in policies, protocols and communications.
While you can find various free scenarios on line, such as on FEMA.gov, there are also affordable options that could be more tailored to specific scenarios, led by a trained facilitator, including the Response Readiness Training offered by The Wall Street Journal.
This is something I am working on with the Wall Street Journal and leading their network of facilitators, to walk through the various scenarios and ask questions at the conclusion of the training, such as:
What worked well or did not work well?
Which areas require improvement?
What types of gaps in the response process did we discover?
What are the team dynamics? Were there any communication failures?
Were stated processes and procedures followed or do new ones need to be created?
What was the level of knowledge participants had on the issues?
What are the next steps in terms of identifying and filling needs?
In creating a culture of vigilance and putting your crisis management team in place, along with creating your crisis management plan, there are other steps that you can and should take now to minimize and monitor and otherwise protect your company that do not cost a lot of money.
For example,
Outside the companies exhibiting here today offer a suite of options to protect you, including monitoring, alert sys., and options to backup and recover data.
There are plenty of tools such as free websites to review questionable documents or monitor traffic and software to detect threats. However, I am not a technology expert and so I defer to a CIO or IT person to tell you which ones work best.
You can consult CISO networks or consulting firms like Deloitte or Earnst & Young and their Cyber Risk Division to help establish the best controls to defend against emerging threats.
Some trade associations may also offer cybersecurity packages. For example, the Small Business Association of Michigan, of which I am a board member of, offers pre-breach services, including cyber security insurance.
Your insurance agent will also know if your policy extends to cyber and if not what you need to do to get the best policy given your industry.
THE MIDDLE DRAWER STATEMENT
Another easy thing to do that could save you time later on, is to develop a Middle Drawer Statement.
These are facts sheets on areas where an organization is vulnerable, for you to refer to quickly, found in the middle drawer, in times of a crises, that lays out a specific response to a specific issue. It is meant to act as a quick guide to responding to an area where you are vulnerable.
MESSAGING
The Middle Drawer Statement will help you know what to say when your security is breached.
If there is one thing we can learn from past breaches, we know that they provide us with a roadmap of how to respond to the next one.
For example, In 2017, the Securities Exchange Commission (SEC) was attacked and they provided companies the script for what to say if their data is breached.
“Even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face.” SEC
Those words are certain to be cited back to the SEC by any company, when questions are raised about their cybersecurity efforts.
In the hours following a data breach you can alert your stakeholders with a simple message:
There has been a breach;
We are investigating the source; and,
Here is what we are doing about it
You are letting people know what happened and what you are doing about it. You will then need to be prepared to respond to inquiries until the situation is resolved.
I received a similar letter from Michigan State University. I thought its informative, empathetic and forward-looking.
IS YOUR WEBSITE UP-TO-DATE?
Your website also provides a crucial media channel to communicate with your stakeholders.
Your website needs to be up-to-date and you need to have an active social media presence, if not actively posting, you should have someone actively monitoring it for you.
They will be the first place a reporter looks to find the latest information on your company and the issues you are involved in.
It also remains the best place for you to update key stakeholders on the issue.
Just make sure to keep it update and refer people there.
THE CRISIS BAROMETER]
Creating a culture of vigilance, putting the team in place, identifying your vulnerabilities and working now to minimize any damage is vital to protecting your reputation.
You will be judged by how you respond to an issue becoming a problem.
In making this evaluation, it is important for your company to have a barometer to help gauge or determine the severity of an issue.
Every company should create their own barometer as part of their crisis planning.
KNOW THE LAW(S)
There are also an abundance of laws, regulations, guidelines, standard operating procedures, and best practices that must be understood and implemented in order to deal with emerging threats and disasters.
This includes when and how you must disclose a breach.
From the hodgepodge of US privacy and security laws, government directives, US Attorney General Opinions, and every state having their own notification law – All in conflict with each other, you need to know when and how to respond given the crises.
Depending on your industry there may also be specific rules and/or regulations that dictate how you disclose a breach or other crisis, not to mention the laws in other countries such as the EU with GDPR, Canada and others you may do business in or with.
Crises know no borders, and ones that impact data will require diligent monitoring and disclosure.
As a result, it is vital that you know the laws where you conduct business and where your customers are.
Failing to disclose a breach or other crisis will seriously impact a company’s value and reputation, in a matter of days.
Wait too long to make full disclosure and you will be ripe for Page One fodder in the morning news and a topic de jure on social media.
This is a key area we would explore in a table top exercise and one that you should consult your legal counsel.
The 5-Finger Response
Knowing when to disclose something will help formulate your response.
A response should focus on the following areas:
Financial + Legal + Operations + Reputation + Human
It does not matter if it is an employee-error; high profile litigation, government investigation, or industrial accident, if something happens a response needs to be immediate, decisive, and strategic.
SO WHO RESPONDS? Leadership needs to own the issue, but who responds depends on the situation.
That is why you need to be prepared. I am surprised by the number of company presidents and CEOs that do not want to get in front of a TV camera or microphone.
But strong leaders need to own the situation and seize the moment to protect their company’s reputation and their own.
KEEP YOUR CUSTOMERS TRUST OR WORK HARD TO WIN IT BACK
The third and fourth phase of crisis management is all about working quick and hard to ensure your customers do not lose their trust in you.
Following the initial response, effective crisis management requires conducting an investigation and developing an action plan that seeks to rectify the situation or at least explain what happened, why it happened, and what you are doing to make sure it does not happen again.
Here it is important to reassure your stakeholders that their needs are being adequately addressed by communicating all of the pertinent details.
This includes demonstrating your commitment to transparency and letting the public know that your organization is on top of this issue.
EVERY CRISIS COMES TO AN END
While we each have bad days, some have it worse than others. The good news is that you can survive any crisis if you are prepared.
Just last week, I shopped at Target and Home Depot. Each remain trusted brands despite going through a data breach a few years ago.
And during the break, I posted an update on Facebook.
The attacks on our companies and in our industry, will grow more persistent, diverse and frequent. It is time to prepare, so that that you are not caught OFF GUARD — Be proactive!
Watch what is happening in other industries and operate under the assumption that you are next — Prepare for it.
Conduct regular tests and trainings. Test your vulnerabilities and remain vigilant. And please buy insurance.
Companies are challenged today in how to communicate a breach or other crisis.
We are all vulnerable, but it is difficult for a company to own the problem.
Ignore it or let it linger, hoping it will go away will only make it worse.
Blame someone or minimize the impact and it becomes much worse.
Tell me what you know when you know it. You don't have to tell me everything but just give me something.
Based on our discussion today, I hope you are more prepared to deal with issues so you are now onguard and will not be caught offguard.
I hope you never have to use it! If you do, know that despite the bad days and difficult times, tomorrow brings a new day.
Thank You!