The Board is never going to care more about cyber security than after you’ve been hacked. Unfortunately, the incident response meeting is never a good meeting to have. But it can present an opportunity to realign your organisation around cyber security, and the opportunities that an effective cyber security programme can deliver.
Fundamentally, cyber security has a visibility problem. When everything is going right, no one really notices — except to perhaps complain about costs. Demonstrating that cyber brings real value to your organisation is critical. A breach doesn’t demonstrate the positive benefits of cyber investments, but it does illustrate the potential risk — a risk that, realistically, is growing.
The evolving risk landscape
The global pandemic and resultant shift towards remote working have accelerated the number of cyber-attacks. Ransomware, malware and brute force attacks are all on the rise. An Interpol assessment of the impact of the pandemic on cybercrime has revealed a significant shift of targets from individuals and small businesses to major corporations, governments and critical infrastructure. But that doesn’t mean smaller businesses can rest on their laurels — it’s a dangerous cyber landscape out there, and remote working has only made things harder.
Cyber security is all about risk management and preparation. With that in mind, how do you prepare for the worst? How do you tell your Board about a hack and keep your job? That’s what we are going to explain here.
For more general advice on cyber security communication with the Board, check out our downloadable resource — Board Presentation Toolkit: Cyber Security and Threat Management.
Step 1: Take responsibility
If you’re talking to the Board about an attack, the buck stops with you. Even though regulations, such as GDPR, make it clear that responsibility for incidents or data breaches sits with the organisation and not an individual, don’t hide behind this from an internal standpoint.
Taking responsibility doesn’t mean that you are legally liable for the breach, but you should make it clear that you understand that your job is the effective delivery of a cyber security system. You might also want to point out any times you warned about the possibility of the kind of incident you are experiencing now. This is an appropriate thing to do. But it’s important that you frame all of this in the right way — namely, that you take personal responsibility for preventing this type of incident.
Fundamentally, by the time you are presenting to the Board, you should have instigated your incident management plan, which should be the central focus of your conversation. Just remember, the Board will want to hear you say “I should not have allowed this to occur”.
Step 2: Explain what happened without making unverified claims
The Board is going to want to know what happened. Share what you know, and share what you are doing to find out more. But it’s important to avoid making unverified claims — you don’t want to have to back-track two-or-three days later.
You want to focus on things that the Board will find important — the financial consequences, regulatory repercussions, PR impact and the extent of the breach. When brushing up on the latest intelligence, keep the following in mind:
- Acknowledge the incident
- Provide details on business impact
- Outline gaps that need addressing
- Provide a mitigation plan.
If you can bring this back to warnings you had made previously — all the better. But, again, you need to take responsibility while doing this. And be careful not to jump to a solution too quickly.
Step 3: Have a plan for next steps
You should be prepared with your next steps. According to the NCSC, the four core response stages to go through are: Analyse, Contain, Remediate and Recover.
- Analyse: Everything from technical analysis to reviewing social media reactions.
- Contain/Mitigate: Blocking activity, isolating systems and resetting accounts.
- Remediate/Eradicate: Fully removing the threat from your network and systems.
- Recover: Returning systems to ‘business as usual’. Final actions are taken to handle regulatory, legal, or PR issues.
The more information you have and the more effort that has gone into planning before reporting on the incident the better. Your ability to demonstrate what you are going to do next will add credibility to your response and calm fears about repeated breaches.
Step 4: Recalibrate expectations
You have everyone’s attention during a breach, and the Board will want to understand how this will never happen again. This is where there are opportunities to be found in failure. Use the incident to highlight the importance of cyber security, and the value of aligning security with your organisation’s appetite for risk.
Something many people outside of cyber don’t understand is that there are no guarantees in cyber security. It’s all about weighing up direct costs, opportunity costs and risks. It’s critical that your organisation conducts an effective cyber risk assessment, and makes investments accordingly. It’s possible that the current breach is an outcome that your organisation deemed an acceptable risk. That might need to change moving forward. Either way, it should be taken into account.
Note: A direct cost is the actual cost of failure, e.g. fines, loss of revenue, loss of customers. An opportunity cost is what inaction forces on you, e.g. not being able to roll out a new customer-facing app because you can’t effectively manage the security risk.
Use your post-incident review as a lever
The post-incident review will be crucial in the recalibration stage — this should cover lessons learned about the cause and also about the response itself.
Lessons from the incident itself:
It would help if you used this review to consider both the tactical fixes that would have prevented or detected this incident, as well as strategic solutions that may only show themselves across multiple cycles of incidents.
Look to answer questions such as:
- Are there security improvements which could have prevented the incident?
- Could we have had earlier detection?
Look for ineffective governance processes that may have led to multiple intrusions via previously unrecorded, internet-facing assets.
Lessons from the response:
- Was the response successful and effective?
- Were there elements which could have been handled better?
- Was there data which could have been useful but wasn’t available?
Keeping good records of activities during the response will assist with this review.
Modern cyber security needs to focus on flexibility and the accommodation of remote working. One technical component to consider is endpoint security. This is an approach to cyber which seeks to control the transfer of data between your network and endpoints to effectively protect the whole system within an agile environment. For more information, check out the link below.
Suggested reading: How to Build a Better Cyber Security System Today
More fundamentally, it’s essential to build a repeatable cyber security process that will help you prioritise the right strategies and flexibly respond to internal and external changes. At Six Degrees, we have captured this within a five-stage cyber journey.
If you need to begin your analysis following a security breach, this is a great model to follow. The circular nature of this journey means that even by starting from the particular hacking incident, you can then work your way through all of the key questions and issues.
Security partners can help
We live in unprecedented times, and while best practice security processes and endpoint security solutions are available, expertise is in short supply. The cyber security skills shortage is real, and strategic partners can help you access the expertise you need, on-demand.
Fundamentally, you need a team that not only checks compliance with your security approach but continuously monitors the actions of the hackers. A team that continually upgrades your process of securing sensitive data.
Being placed in the firing line following a security breach is not a comfortable place to be. But it’s an opportunity to make the case for greater investment in more flexible and effective security systems. Long-term, an agile approach will enable you to do more with less.
Managed Security Providers can help you build the kind of flexibility you need, and access the skills required. At Six Degrees, we’ve been helping businesses improve their cyber outcomes for decades. Get in touch if you want help planning a better future.