November 16, 2016 By Caleb Barlow 3 min read

You are driving in your car with your 10-year-old son in the passenger’s seat. A ball bounces in front of your car and you hit the brakes hard while simultaneously throwing your arm in front of the child, acting almost automatically. That’s called muscle memory, and it is a big part of what organizations need when responding to cyberattacks.

Cyberattack Defense Is Muscle Memory

When asked how to launch an effective cyberattack defense effort, most people give technology-related answers: Beef up the firewalls, fortify the network, and deploy better intrusion detection and security analytics solutions.

While technology is certainly important, the responses coming from your organization during and following the attack — the human side of the equation — are even more vital. Yet despite a wealth of good advice, I estimate that in 8 of the last 10 large-scale breaches, the response from the organization under attack did as much or more damage than the attack itself. Most of that damage was reputational.

Why is that? Very few C-level executives have been trained in crisis leadership. They seldom have to make urgent decisions in near-real time. The usual practice is to build a team around executives to provide input. They carefully study these inputs and weigh them against other information to develop a set of options. Eventually, they fashion a response. This could happen days or weeks later — or, in some cases, not at all.

The Worst Response Is No Response

That explains why the response to a major breach is so often little or no response at all. Often the blame is directed at some vague state-sponsored source when, in reality, the company has no legitimate suspects because attribution is very difficult. That’s when problems arise beyond the actual damage from the breach. Customers worry about their personal information. Suppliers and partners get antsy. Tort lawyers start to circle overhead. Confidence in the organization drops while suspicion mounts.

Most all of this post-attack damage is avoidable and unnecessary. First, all organizations must presume that they will fall victim to a major breach at some point. There is no safe harbor, as should be evident to anyone listening to the news these days.

Second, the management team needs to undergo in-depth training in crisis management when an attack does happen. This team needs to prepare and rehearse responses for customers, suppliers, regulators, the media and the board. Of the 50 states in the U.S., for example, 47 of them have their own unique breach disclosure laws. You must develop a plan in advance that comply with these laws specific to any states in which you do business. These responses must be ingrained as executive muscle memory.

Filling the Gaps

To help IT professionals thoroughly prepare to deal with cyberattacks, IBM opened its X-Force Command Center (XFCC), a simulator designed to train executives in the crisis leadership skills they’ll need to respond to a breach. In the all-day course at the XFCC, teams will first experience a highly realistic, simulated cyberattack. They’ll be exposed to the variety of ways the technical staff tries to detect and stop the attack and then swing into recovery mode.

Participants will spend the second half of the day planning the proper response steps and rehearsing them. The central idea is to infuse executives with the confidence and experience of doing something that their MBA training and business experience likely failed to address. Leadership during a cyberattack defense effort requires a full-throttle response in hours, not days or weeks.

Discover How IBM X-Force Command Centers Are Changing Security

A Predetermined, Definitive Response

Think back to the Tylenol scandal of 1982, when criminals tampered with bottles and laced the pain-relieving pills with poison that killed several people. Tylenol’s maker, Johnson & Johnson, immediately removed the product from all store shelves, even though there was no indication of a manufacturing problem. The parent company trusted its brand to survive such a hit, and indeed it did. The company was widely applauded for its leadership in a time of crisis and its near-instant response.

Breaches will continue to happen, possibly even at an accelerated pace, given the growing interconnectivity all around us and the expanding threat surface that comes with it. The worst thing a company can do in response is what so many end up doing — nothing. Instead, be prepared to meet the crisis with predetermined, definitive responses.

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats?

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today