Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome to Cash in the Cyber Sheets. I am James Bowers with Input Output, your chief security and compliance architect. Very happy to have you here with us today, happy to have you here with us every week if you're one of the few. It's growing.
We're getting more subscribers, so that's really cool. So today in light of, you may have heard about it in the news, we talked about it before, there's been a lot of data breaches. There was CDK a few weeks ago.
There was just the one with AT&T, which it's not a new data breach. It's been going on since 2022. They just found out about it in April, and just let everybody know here what I think last week.
And then also Evolve Financial Services, you may not have heard of them. They're actually the backbone to a lot of other financial services. So there's been a lot of other data breaches, but that's just to name the three, or three of the ones that are affecting millions upon millions of people.
So in light of that, I thought we would get back to basics today and want to go through just actually creating the information security incident response plan. And we're going to have a lot of good giveaways with it. In the description, we'll be able to, a lot of the stuff that we're going to talk about today, I'll actually put in there.
So like our ICERT list, which we'll go over that, communication matrix, how to handle, how to notify about an incident, also flyers that you can distribute to all of your employees. So a lot of really good stuff in there to help you if you don't have anything, to really get you ramped up and get you going. And if you do have some things, probably add a little extra flavor and it helped improve it a little bit.
So very excited. We'll jump into that before going any further. Shameless self plug, please, please, please click that subscribe button.
If you like what we're doing, whether you're on Apple podcast, whether you're on Spotify or YouTube, go ahead and subscribe really helps us out and drop us a line. Let us know some things you want to hear about. Also kind of a kind of a cool new thing is I want to thank a couple of our sponsors that actually for quite a while now have helped us put together a lot of the information for incident response.
That would be infiltration labs actually had their owner, Brian Barnhart on here before. We'll have him on again. But he gives a lot of great information about what it looks like when things happen.
So when it hits a fan, Brian Barnhart with infiltration labs is phenomenal at helping you get the pieces put back together. And for the day to day management, autonomate it. They integrate it with everything they do and have an excellent team that is always right on the spot.
I think the last time we looked with them, they have a 5.5 out of 5.5 customer satisfaction rate. So pretty solid. But definitely check them out.
Infiltration labs, autonomate IT. Thank you for all that you do. And now let's get into it.
So incident response plan, incident response policy, data breach plan, whatever you want to call it. It doesn't matter. They're all basically the same thing.
I don't know. There's some security experts out there that would say there's very specifics for different names. And yeah, that could be true.
But at the same time, different people are using the names interchangeably. So at the end of the day, it's all about communication. Are we getting the point across? And for our purposes, data breach, incident response, all of that, it's the same thing.
So I want to go through some of the core things. This definitely isn't everything. There's a lot that you can do on top of this to further improve, to make it better.
So I don't want you to walk away from here thinking we're not covering something because we're absolutely not. There's other things out there. But for the absolute core, core, core, and especially if you're in a place that you don't have anything, how you can really kick it, kick it off, get things put together quickly, is we want to first identify all of our ISERC members.
That's our Information Security Incident Response Team. In some industries, it's the Computer Incident Response Team. There's a lot of names for it.
Basically, these are the people that when it hits the fan, they're going to be the ones that are engaging to help manage it, to help recover from it, communications, everything. Then we'll also want to have a communication plan. That seems, especially when you're not in it, simple.
But knowing who to contact, how to contact, what to say, very, very important when you're actually in the fire. You don't want to be trying to figure out your exit strategy while you're in the burning building. So we'll show how to put that together.
We'll walk through identifying how it is that people can notify your associates, third parties, anybody can notify you of a security incident. Whether they see something weird, they suspect something, or definitively something's happened, we'll show how you can easily outline what they need to do, how they need to do it, how they need to interact with you. Also talk about a little bit how you should document your incidents.
It's very important for regulatory requirements, but also internally just to know what happened so that you can do your post-mortem or your lessons learned after to see how can we minimize things like that from happening in the future, either completely prevent them or reduce the impact if we feel it again, how can we make it not hurt so much. And then also going through how we need to report and communicate with affected parties. When we discover the breach, during the breach, and after the breach.
So we'll go through each of that, and like I said, in the description we'll have some different good freebies in there that can help you kick this off and will relate to what we're talking about. So very first part, if you don't, if you put aside the project management side of defining our scope, defining the goals, we're putting an incident response plan together. We need to first identify our incident response team, our ICERT, who's going to do what.
And this list I'm going to give, it's in no way an exhaustive list. You can put anybody on your incident response team that makes sense, that would be able to support the organization. All the applicable relevant stakeholders, subject matter experts, you should have them on there.
And just because they're listed on your incident response team, just because they're on that actual list, it doesn't mean that they have direct responsibilities, so to say, that they're having to monitor things always. It can just be contacts, like our insurance company. It's just a list of all the different people that we may need on there in case things go sideways.
We've got it, bam, one place, here's exactly who we reach out to, and here's who we get involved with. So number one, the kind of head honcho of the whole team is our ICERT lead, our incident response coordinator. And really, they're just, they're the project manager.
They're the ones that are going to keep the project moving forward, making sure the different members are following up on their parts, are doing the things that they need to do, following up with the different team members, and really just managing it all and keeping it moving forward. They don't necessarily need to be the most technical person, but typically the best person here is someone in your organization that is, got great leadership skills, and also good at project management. They've got some experience with it, and they've shown that they're able to keep things moving.
The last thing that you want to happen during an incident is for some to-dos to go out there, some requests to go out there, and it just gets stagnant. Nobody's following up, nobody's giving what they need to, and now this team can't do what they need to do because this team didn't give them what they need. That's really where the coordinator comes in and helps, keeps that moving.
And if all they're doing is just staying on the phone, staying on the emails, hey, we need this, get this to this team, get this to this person, keep this moving, that's perfect. That's fine. That's all they need to do, just keep moving the ball down the field.
The next that we're going to have is, in our ICERT list, we have a lot of these separated because some of the organizations that we work with are larger and they have more specialized teams. Bye-bye, bug. They have more specialized teams for like an actual information security officer, a chief technology officer, an IT director, a chief privacy officer, or a data privacy officer, potato, potatoe in some cases.
In a lot of organizations, this is all going to be the same person, perfectly okay. It's also worth noting that this can be external parties as well. So, maybe for our executive technology lead, we just don't feel comfortable that we have those resources internally.
We can basically sub that out to, maybe it's our MSP provider, like Automate IT. Maybe they're going to be our executive tech lead. Then we list the main contact over there or their top technician who we would work with.
That's perfectly okay. I would caution against subbing out your coordinator. That should typically be somebody internal that you can keep things moving.
Or, if you are going to sub it out, just have somebody internal over them just to make sure are you doing what you need to do. That's okay as well. But, some of the ones that we want to list on here is we want to identify our executive technical lead, our information security lead.
They're the ones that actually manage information security, typically the setup that a lot of times is our chief information officer. Our information security program director. So, that could be like the director of our ISMS, our information security management system, or our ISP, our information security program, or whatever you want to call it.
Each regulation, each standard has their own name. So, good for them. But, basically who manages the information security program? Again, a lot of times this is the same role as like our executive tech lead or our information security lead.
That's okay. Sometimes it's separate. And, when it is, we just want to make sure we know who's managing what, who can help with the planning, who understands our entire environment from a technical point of view, who can update the policies and procedures, who can tie it all together.
That's why we want to identify each of these. We also want to definitely identify our information privacy officer. That could be our chief compliance officer.
That could be our data protection officer. A lot of different names form. What they do, however, is make sure that you're following all the applicable privacy laws and requirements.
So, each state, they have different privacy and notification requirements, how you have to notify the state, how you have to notify affected parties. And, that's going to vary, not based on where your organization is, but your customer's area of residence. So, where each customer has their residence, that information that you have from that customer is managed by that jurisdiction, typically the state.
If you have clients that are in the EU, then you're going to have to follow GDPR. So, the data privacy officer, the information security officer, privacy officer, they're managing all of that to make sure that we're notifying and following all the applicable laws, regulations, and doing what we need to in respect to personally identifiable information, typically. If you are under HIPAA, whether you're a covered entity or a business associate, you need to specifically identify a HIPAA security officer.
It is completely okay if that is the same person that's doing all of these other things. That is perfectly fine. But, again, we just want to make sure that we have it, if we're covered under HIPAA, that has to be specifically documented.
We also want to have a contact or contacts, multiple, for senior management. That doesn't mean that they necessarily need to be involved every step of the way. Some senior management teams, C-level, want to be.
They want to know everything that's going on, and they'll typically communicate that with the ICERT coordinator, the lead, or the chief technology lead or chief information officer. Some C-suites and senior management teams don't want to be involved. Either is okay.
But we still need to list at least one contact that understands what's going on, understands their role, and at a minimum would be there to be able to make decisions, authorize things that the other team members can't do, whether that's capital expenses, whether that's shutting certain systems down, whether that's communicating with law enforcement. However that is, we need to have somebody at the highest executive level that can make a decision on anything that we need to make a decision on. Next that are good to have on there, and a lot of these now that we're listing aren't necessarily involved with you on a day-to-day basis.
These may just be documenting the numbers and contacts of who to reach out to, but that way you have it all in one single place. But is your legal counsel, legal general counsel, I would list on the ICERT each different type of legal support that you have. So if you have a general, if you have say for HR, if you have a privacy attorney, list all of them there.
That way when something happens, depending on exactly the type of incident, the type of event, you've got the information there to contact who's relevant. But again, each incident you're probably not going to engage or interact with each of these. The next is, this can be internal or external, but public relations.
Who's going to manage basically what you put out there in the public? Your communications? They'll typically work very, very close with your data protection officer and senior management to know, okay, what do we absolutely have to say? Data protection officer would probably bring that in. Public relations would say, okay, I get what we have to say. Let's say it like this because it sounds better.
We're still following the law, but this helps protect some of our reputation, lets us save some face. That's what public relations does. And they're going to, they typically also have the contacts with news stations, with social channels, everything else, and they'll be able to, sometimes they just technically manage getting those communications out there.
Next is listing all of your insurance policy contacts. Just general liability, cyber insurance, E&O, all of the different insurance policies you have, list them on here. And I would also recommend listing some supporting information as well.
So not just the contacts, but policy numbers, if there's specific reporting or claim guidelines, maybe put those there or at least a link to write where it's at, and perhaps even deductibles so that you understand, hey, if we're going to reach out to this insurance company, it's going to cost us $50,000. But based on what's going on, based on what our other ISERP members have said, we need to go ahead and do it. That's just, again, not necessary, but real helpful when you're in the middle of everything to have it all right there.
That way, that can sometimes save you one or two meetings to where when you're having your initial meeting, you've got that information already, you can discuss it, make a decision, rather than having to go out and get the information, come back for another meeting to then make a decision. So it can help expedite things as well. Also good to list are any cyber response teams that you have.
Now, internal IT, your internal tech support is definitely going to be involved. But if you have any specific, say, incident response teams, forensic experts, which is actually its own area we'll get into next, but just any specific teams, you'll want to list them here. And before picking one, check with your insurance company.
A lot of times if you have a cyber insurance policy, you've actually got to use the cyber teams, the forensics experts that they specify. So don't spin your wheels, check with them first, but list them all on here. The next, and this is one that we partner with a lot, is forensics investigation, forensics experts.
So like infiltration labs, they're very important because they can come in, sift through all the different logs that you have, look at all the different systems, and be able to help you pinpoint, if you have the appropriate logs and data, help you pinpoint exactly what happened. And this is such an important part for companies. We've talked about it before, but a lot of companies look at this as a thing of, we're just paying money to figure out what happened, and I think feel like they're spending money that they don't really need to.
But more importantly, the forensics expert is showing you what didn't happen. And here's why that's important. With practically every privacy regulation out there, every law, if we cannot show evidence that somebody, that our clients, business partners were not impacted, if we can't show that, we have to assume they were, and that means we have to send out notifications, that like a year or two of credit monitoring, means we need to do all those different things.
If a forensics expert comes in and says, here's exactly where they went, they hit this system, this system, and they actually didn't access any of your client databases, they didn't get any client information, no PII, no PHI, no medical, no financial data, they just got in and kind of trampled around or got some of your company data, but nothing on your customers. Well, that means we don't need to specifically notify anybody. Little asterisk, we don't provide legal advice, always follow the advice of any of your legal professionals, legal counsel, that should be on your list, back to the broadcast.
But, you should be able to limit who you notify, what remediations you have to do, and that all culminates to ultimately how much money you have to spend. So, that forensics expert can actually keep an incident that may have cost half a million, a million, two million dollars in reporting and remediation costs down to a few thousand because they can show that nothing happened. It's very important to understand with practically every privacy law, you're essentially assumed breached, kind of assumed guilty until proven otherwise, and that's what that forensics expert can do.
It's also very helpful because they can show you exactly how they got in, help you plug those holes, and also help to identify is there anything else that's lingering. So, very, very, very important. Again, though, just make sure to check with your insurance company before you choose one.
Sometimes you have to use specifically who they specify. So, it's very, very good to check with them. We're good on time.
So, again, that's our ICERT. Not an exhaustive list, but anybody and everybody on there that you feel is important, you know, list local law enforcement, list your local FBI field offices, put the FTC information on there, anybody and everybody that could provide support or would be a good contact during an incident, get them put on there, and that way you'll have it all in one place. With them in place, we also want to have a good communication plan.
Our WISP, our Written Information Security Program policy, has that all in there, but ultimately what you want to do is for each of those ICERT members, and then also a section for affected parties, whether that's clients, business partners, whoever, for each of the ICERT members, we want to list what type of training do they need. So, prior to an incident, prior to an event, what type of training do we need to give them? A lot of the people that are in our organization, we need to make sure that they understand what they need to do, how they need to engage, where all these resources are at. Some of our supporting teams, like perhaps external cyber response teams, forensics experts, that's most likely just having an NDA or some sort of retainer or contract in place so that when they're ready to, when it happens, we don't need to go through a whole supplier approval process, they can just, they can get started.
External stakeholders, affected parties, clients, other business partners, there's no training there. We'll talk to them if something happens. So we want to identify the training requirements, then we want to identify what we need to communicate for each of the different parties, so internal and external.
And we break this up to where it's, when we discover a breach, what do we have to communicate, who are we communicating that to? During our investigation. So, senior management, they may just want a little bit of information, hey, keep us informed. The coordinator, they've got to know everything going on.
Clients or affected parties, when there's a suspected breach that may have impacted them, we need to send them something. And then, depending on how long the investigation is going, we should give relevant updates. And a lot of that's going to be dictated by relevant jurisdictions, privacy laws, privacy requirements.
But then at the conclusion, what do we need to provide to everybody? Our ISERT team is going to be what happened, how it got closed out, and then our lessons learned, how can we improve, avoid. For all the affected parties, it's going to be, here's what we finally discovered, here's what the outcome was, and here's what that means for you. So, it's good to have that all in a central matrix.
And then the final part in that is just typically who's managing that communication. I would, with everything, name one primary person or one primary team so that you have one head on the chopping block. If you list, say, the entire ISERT or a lot of different people on there, that just turns into a situation where everybody thought that somebody else was handling it so it doesn't get done.
So, keep that concise. General good project management stuff. Very technical term.
So, the next part is the notification. How, and this gets confused a lot, and it's almost like doublespeak. Are we reporting, notifying that something's happened or reporting out to people to let them know something's happened? In this section, we're talking about how do associates, how does anybody let your company know, let the ISERT know that, hey, something ain't right, something's gone sideways, my laptop just got stolen, or my computer's not working right, or holy hell, everything's now encrypted.
How do they need to reach out? And a lot of times this will seem simple. Well, just send in a ticket or you just call. When you actually, if you go around and start asking all of your employees, we do that a lot because we do audits, you get a lot of different answers.
So, it's very, very important with this part, make sure to define that. And that can be simple. Always, always remind everybody, human safety, paramount, be in a safe place.
Human safety comes first, then data. Unless, of course, you're in some government side with certain top secret information that kind of flips, that's not a stab, that's understandably because it could affect a lot more people. But on the commercial side, on the business side, human safety comes first.
So, just always make sure to remind people, hey, if you're going to call in that the building is on fire, please make sure you're out of the building first. Make sure you're in a safe place. Then let us know.
But provide a good email that they can send to. What email should this go to? Provide a direct phone number. Who can you call? And if you set this up as call your direct manager, that's fine.
Make sure there's a process for those direct managers so that they know who to reach out to. And if you have a portal, some companies do have an online portal, provide that website. So, email, phone number, website, any other direct method.
List those out. If you have secondary or backup reporting channels, make sure to put those in. So, kind of an example from ours, we've got specifically emailing a direct ISERT member.
Things are going on. I don't remember the exact process. Just email one of the people there and we'll keep it moving along.
A direct call to anybody on the ISERT list or a manager for engaging with a direct supervisor or point of contact. So, if it's like a business partner, hey, you can work with your direct point of contact to get us engaged as well. If you have the capability, not everybody does, but if you have the capability, also list how people can report anonymously.
Now, this can be done with website portals. This can be done with Microsoft Forms. You can even put a process in place to say, hey, listen, you can call this number and leave a message.
We don't track any of the caller IDs. You can have a trusted third party call in to let us know. Just make sure if you're doing that that you're not disclosing information to an unauthorized third party.
There's a lot of different ways you can handle that. But it's good to have a way that people can report anonymously because then you can easily tie this into your whistleblower process. There's a lot of regulations out there that require anonymous whistleblowing.
So, kill two birds with one stone. Just do it as part of your incident response process and then it's all easy, all done. So, the next big part, and this could be an entire module, an entire few podcasts just on this, but the reporting to internal and external parties.
We'll sum this up here. This is going to be driven a lot by legal, by your data privacy officer, by senior management, public relations. They're going to handle a lot of these things.
But we should identify and have templates for discovery. When we see something that happens, how are we reporting to affected parties, internally and externally? What do we need to say? What information can we provide, should we provide, and how is that going to be managed? And what's the time frame? Typically, it needs to be as soon as possible. A lot of privacy regulations give you up to 30 days.
Make sure, make sure, make sure you work with your data privacy officer and legal to make sure you're handling that right. It's a jungle of different regulatory and privacy requirements. There are 12 days, 15 days, 30 days, 60 days.
Work with data privacy officer, legal, make sure you have that right. During the investigation, how you need to make reports, what do we need to update, who do we need to update? Can we send something out saying, hey, we looked at it, you're not affected. Or do we need to send something out saying we've gotten to a point where we see some of your data is impacted, we don't know exactly what.
But here's the steps to take. Also, in these communications, you need to have contacts for who people can reach out to with questions. Finally, and this is where I don't want to say most important, they're all important.
But this is typically what people focus on the most. But the conclusion, what do we have to send out once we've done our investigation, once we figure out everything that's happened? What do we have to send out, who do we have to notify? Work with all the applicable ISERP members, but you want to identify what happened. You don't necessarily need to say how it happened, but what happened, who's affected, what was affected, and what that means for them.
And then also any remediation steps, anything that's going on. This is where your forensics expert can really help you out. Because if they can show that a lot of your databases, a lot of information was not accessed, then that's a much better email to send.
That's a much better letter to say, hey, somebody got in. Based on how we segregate everything and our great security practices, you were not impacted. Just wanted to let you know.
We wanted to let you know not to worry. And stay with us as we continue to build and rebuild our trust with you, yada, yada, yada, public relations stuff. Much better letter than writing to say, hey, we have no idea what happened, so we're assuming all of your stuff was breached.
If that doesn't go over well, that loses a lot of clients. Interesting to point out is I actually have seen where the reporting was handled very well. The ICERT was working really well, so they identified what happened.
They were on it. They were structured. Where that actually helped their client retention.
And in post-surveys, a lot of clients said that they felt safer with the company. Because of how Johnny on the spot they were with it. That you all seem structured.
You let us know what happened. It's typically better if none of my information was impacted, but we get a sense from you that you're doing everything you can do. And, hey, we're all human.
We understand it. We all understand that data breaches are going to happen. So if a client can see that you're doing everything you can do, and also that you've structured it in ways with their protection in mind, it really goes a long way.
So kind of dipping the toe into the risk management opportunity management there. But it's not all bad. There are opportunities there.
As we kind of get to the end here, let's see. We'll have the ticket format. You want to have a specific ticket format in there.
And we'll actually have that, again, in the description. You can do that however you want. But just a basic documentation timeline that shows what happened, what we discovered, our assessment, our lessons learned.
And then you can keep that on file with any supporting evidence. So if any regulatory bodies come in, you can say, hey, listen, here's our stuff. Here's what we did.
Here's why we didn't send out a notification. Because we have this evidence here showing we didn't need to. So that's very important.
Something that a lot of companies overlook, however, is giving specific training, giving specific guidance for what employees should say to authorities or clients calling in. You can have a situation that's not a situation. Maybe somebody got into a computer, but they didn't get access to anything.
Out of abundance of caution and a good security team, they shut things down for the day to really dive into it. A client goes to log in. They can't.
They call in. And the employee picks up the phone and says, yeah, sorry, our systems are down. We had a major data breach.
We'll be back up. We'll let you know when. Click.
That starts a wildfire. Or if, God forbid, a legal team calls in or if it's the press, they somehow call in and ask. You don't want your front line, you don't want anybody in the company talking about that incident to anybody except for who you've specified.
Typically public relations or senior management. So what's really important, and it's not a long process, it doesn't need to be complicated, just give training, give guidance for what employees need to say. If law enforcement, legal, client, press, anybody calls in asking about an incident, what should they say? How should they handle it? Who should they transfer it to? And how should they do that? And typically that's just, hey, thank you for calling in.
I don't have any particular information. Let me get you to the team member that does or to the department that does. Give me just a moment.
Let me get you transferred. I'll stay on the line until you get over there. Hand it off and then you're done.
That's it. You don't need to get complicated with this. Very imperative.
Talk to your employees, talk to everybody about how to communicate when things are going on so that you don't turn a bad situation into a worse situation or a no situation into something, an actual situation. That's all incredibly articulate and just some of the wonderful things that you get from listening to this show, but I think you get where I'm going with it. Very, very important.
A lot of people gloss over it. That's going to be something that we're going to have, again, in the description. It'll take you to a link that will give you the downloads for all this stuff, and it's just a really good structure.
You can plug in all of your information, how you want to do it, edit it however you want to, completely okay, but a really good basis for it. I will go ahead and end with it's all well and good to put all this in place. Make sure you provide training.
Make sure you communicate out to everybody. Hey, here's what we did. Here's what you need to do.
A great way to do that is in your security awareness training programs. Also, and we'll have it in the description, but we create a flyer that just has some of this relevant information on it and then put that right in high traffic areas, in the break room, in the copy room, anywhere that somebody can directly see it. It's a big red flyer that says basically if you see something, say something, here's how to do it, here's who to do it to, and if you get a call, here's what you say, here's what you don't say.
Very simple, one-page thing, but again, you're doing all this work, all this planning. Make sure it can actually be executed and actually be useful. Communicate it out.
Get it out to everybody. So that wraps up basically our time for today. Like I said, there is so much more that we could go into here, how to integrate this into your business continuity and disaster recovery process, how to perform the tabletops, how to perform tests, how to deep dive, how you develop playbooks.
So depending on the type of incident, exactly what you do. We're all more than happy to connect with you to help on a one-to-one basis, but we'll continue talking about these things. Like we talked about today, identifying the team, creating a communication plan, showing how you're going to communicate with internal and external parties, letting people know how to notify you, and then how to communicate with external parties, asking questions about it.
Those are really the big hitters, and then everything else you can continue to build on from there. So thank you again for listening to Cache in the Cyber Sheets. Please don't forget, hit those subscribe buttons, leave us some comments, shoot us an email if there's something specific you want to talk about.
Maybe you all are going through something in your organization and you'd like a deep dive in it, basically some free consulting. Go ahead and put that in there, and we're more than happy to talk about it. Thank you again for listening.
We'll see you next Thursday, same time, same places. Thanks for listening.
