How to recover from cybersecurity incidents: A 5-step plan

Cybersecurity prevention is essential, but it is failing miserably. Focus on how to recover from cybersecurity events by following these tips.

cybersecurity command center protection cyber attack
Image: gorodenkoff, Getty Images/iStockphoto

We humans like to think that if the right amount of effort is applied anything can be fixed. That is true, but only if the problem is apparent. The problems in today's complex digital world, in particular those associated with cybersecurity, are much more obscure. And if we are unaware of the problems, it's pretty hard to fix them.

Some reasons why it's hard to solve cybersecurity problems

When the movie A Beautiful Mind came out in 2001, it likely was the first look many had at game theory; since then, game theory has been applied in ways too numerous to count. It even helps explain why cyber bad guys win more often than not. "Elementary game theory posits that in any game of strategy offense is, by definition, one step ahead of defense," explains David Trepp, partner at BPM IT Assurance, in this North Bay Business Journal. "In other words, playing defense requires waiting to see what the opposing offense comes up with and then responding. This is also true with cybersecurity; and trying to anticipate what hackers will think of next is destined to result in vulnerabilities."

Trepp then explains why unknown vulnerabilities in hardware and software are such a problem. "Ultimately, hackers have an easier job," he adds. "The second law of thermodynamics teaches us that it is easier to break things than it is to build them. Hence, hackers will always have an easier time finding vulnerabilities than engineers have in avoiding vulnerabilities while writing software."

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

A new approach to cybersecurity is needed

A new way of thinking about this conundrum has been evolving the past few years. Security experts are taking long, hard looks at what, if anything, is working and what is not. Truth be told, they are starting to admit it might be best to step outside the cybersecurity box and plan for data breaches, ransomware, and digital Black Mondays. The following measures have been suggested as ways to prepare for recovering from the inevitable cybersecurity events.

Have an incident-response plan: Every expert suggests having an incident-response plan. Although it is likely most companies already have one, it is critical to continually assess the incident-response plan to ensure it is workable with the current breach and company environment. For example, is the list of key contacts up to date?

It's also important to have a hard copy of the current incident-response plan readily available; bad guys have been known to steal or delete that type of information.

SEE: Incident response policy (Tech Pro Research)

Practice cybersecurity-event scenarios: Military planners know better than anyone that practice helps prepare for the unknown—and what better way to have the incident-response team gel into a cohesive unit than to practice recovering from various cybersecurity-event scenarios.

Keep abreast of laws and regulations: After a cybersecurity incident occurs is not the time to figure out which regulations and laws are in play. Something else to consider: Laws and regulations are not static. It is suggested that someone on the incident-response team be assigned the task of keeping tabs on any changes or new information.

Seek outside help, if necessary: Employees standing at the ready "just in case" is a very hard sell to management. Consultants—legal and otherwise—are not cheap, but may be less costly in the long run than full-time employees. An additional advantage of retaining third-party vendors is they should have more and a wider variety of experience with cybersecurity incidents. Some vendors to consider would be forensic investigators, crisis-communication experts, and PR consultants.

Look into getting cyberinsurance: Companies, in particular SMBs, run lean, and the cost of recovering from a cybersecurity incident might break the bank. One way to protect the business is through cyberinsurance. It is obviously a risk assessment, and one to be handled by company management.

Whether any of the above practices are put in place is a company's choice. The worst-case scenario is if something happens before management has a chance to decide what is best for the business.

How dire is it?

Saying that cybersecurity incidents are as inevitable as death and taxes might be a bit much, at least let's hope so. That said, a strong reminder is a recent survey by the Ponemon Institute for IBM, in which the cost of recovering from a data breach is in the millions. That's enough money to give most business owners pause, and incentive to consider some of the above preemptive measures.

Also see