Does your company have an incident response plan for a data breach? If your organization is proactive — and in compliance with the growing number of data privacy laws — you should have a policy in place for that worst-case scenario of your files being compromised by a bad actor.

Do you also have plans in place if your business suffers another type of cyber incident? What would you do if your e-commerce website was hit with a distributed denial-of-service (DDoS) attack that took it offline for hours or if an employee clicked on a phishing email that spread malware throughout the system? Do you have someone monitoring your social media sites, which represent the identity of your company?

In her talk to an MPower 2019 audience, Allison Cerra, senior vice president and chief marketing officer of McAfee, said her worst day came one Easter Sunday when she was alerted that one of the company’s social media sites was defaced. The logo was turned into an obscene graphic. The description and other posts were replaced with vile commentary. The company faced a serious cybersecurity crisis without their network or corporate data ever being impacted. And, Cerra indicated, the company wasn’t ready for it.

Even though the company took positive steps to address the cyber incident — they kept leadership involved, they had an employee deleting unnecessary administrative access — they realized there were definite mistakes made along the way and during the cleanup phase. The biggest mistake, Cerra said, was that there was no real process in place to handle the attack.

Having the Cybersecurity Conversation

Putting an incident response plan in place begins with a conversation.

“We can’t have a conversation about security if we don’t start one,” Cerra told the audience. Everyone in the company should be included in that conversation, she added, because cybersecurity is a team sport. Everyone within the organization has a role, and everyone needs to know what their role is. Same thing with different departments within the organization. Each department has its unique security needs, and its unique duty when it comes to addressing a cyber incident and managing the response.

Nor is the conversation a one-and-done speech by the CEO or chief information security officer (CISO). As Cerra noted, “Successful companies communicate early and often.” They hold regular drills to be prepared for the response — because there will be a need to have a response. These conversations need to be holistic.

Again, cyber incidents are more than data breaches and stolen data. They are more than someone infiltrating your network. In McAfee’s case, it was a third-party site, where someone else had controls over security. That complicated McAfee’s ability to respond, too, which is why an incident response plan should include regular audits of third parties. How do they handle cybersecurity incidents on their end? What steps do they require from their partners to mitigate an incident? Who do you talk to if there is an incident involving your reputation and data on their end?

The Employee’s Responsibility

Response teams are often made up of a select few representatives, usually management and C-level, from different departments. The rest of the organization is often kept in the dark about cybersecurity response and overall cyber hygiene. That’s because the cybersecurity team is often invisible to the rest of the workforce — until, of course, something bad happens.

Any employee who uses a computer to access the network, whether on premises or remotely, whether on a company-owned device or a personal one, must step up to the plate when it comes to security hygiene and threat defense. They need to be included in the cybersecurity conversation on a regular basis, but they should also own their own cybersecurity role within the organization.

“Employees are equally responsible in ensuring those patches to laptops, mobile devices and other personal technologies remain current,” Cerra said.

It should go beyond patching, too. There are a lot of little things that employees should know and practice. Recognizing phishing emails and not opening suspicious links and attachments is something that all employees have (or should have) stressed to them over and over, but what else are your security and response teams doing to make employees part of the cybersecurity solution?

One such solution is ensuring employees know how to respond if there is a cyber incident. For instance, the default for many of us when we hear of a data breach is to automatically change passwords. But when should passwords be changed? In many cases, changing a site’s administrative password should be step one because as soon as an attacker realizes they have been discovered, they can also change the password, locking the actual security team out completely. But in other cases, the password should be changed after the incident is mitigated — changing passwords before a vulnerability is patched gives hackers the chance to go in and steal the new ones. In other instances, HR and IT should know to immediately rescind permissions and access when employees leave or shift job responsibilities.

The bottom line is that when a cyber incident hits a company, everyone is impacted in some way, from the CEO and board of directors to the receptionist at the front desk. Cybersecurity is a team sport, but every sport needs a playbook. If you don’t have one, it could result in the worst day of your organization’s life.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…