Evaluate the potential impact of NOT

planning crisis communications and

incident response
LO4
• Analyze communications approaches and perceived failures in cases
of catastrophic business loss related to IT systems failure or attack
• P4 ESSAY –Identify and explain a case study that could be translated
as a weak organizational response to a major cyber-security
incident. Evaluate how the organization responded and provide
recommendations that would support a more cyber-resilient
approach over the next five years.
 Why now is the right time to plan your incident
response communication

• Planning crisis communication before a data breach happens can

help restore your business’s reputation fast.
• Companies are now starting to focus not only on preventing
breaches but planning to limit their impact.
• This change of focus involves classic strategies, like buying extra
security solutions that detect attacks early, hiring new incident
responders and training an existing team to react more effectively.
• It also brings new faces to the activity most prone to falling through
the cracks: post-breach crisis communication.
 APPLYING A REPUTATION REBUILD

• Consumers are now much more concerned about data privacy.

• In the US, 83 percent, and Britain, 44 percent of consumers say they
stop spending with companies after data breaches for several
months. Many say they’ll never go back.

• The need to rebuild their reputation sees companies spending on

average $161,000 US dollars on public relations after a breach.
 What is good crisis communication
during cybersecurity incidents?
• Cybersecurity professionals agree that data breach response should
happen across the business, not just in IT Security.

• Despite this, many companies struggle to respond fast enough, with

enough information to quell the rumors.
• But preparing in advance for IT security incident crisis
communication can fast restore a good reputation when it happens.
• 1. Involve everyone in crisis management planning
• Companies should plan for how they’ll communicate about any
situation they might face.
• A cybersecurity incident should be one of these.
• Your crisis management plan should include people from all
departments, That means IT Security, IT, legal, customer support
and corporate communications for a start.
• 2. Educate non-IT employees on IT security basics
• Building a cyber-aware culture at work has benefits beyond incident
response.

• As a minimum, all those who will be involved in responding to a

cybersecurity incident need a basic understanding of IT security.
• 3. Have different plans for different types of incidents
• You’ll probably need separate plans for different kinds of issues.
• The reputation impact of an advanced persistent threat (APT) that
lets cybercriminals spy on business activities will be changed to that
of business-halting ransomware.
• Use the company’s threat model to identify the most likely
scenarios you’ll need crisis communication plans for.
• 4. Prepare alternative internal communication
• If hackers have compromised email, IP-telephony, direct messages
and phone or video calls, you’ll need secure channels to use to keep
employees updated and plan your response.

• In this situation, involved employees should use encrypted

channels.
• Prepare non-technical staff in advance by explaining the need for
encrypted messaging, how to install it and how to use it.
• 5. When you disclose, be specific
• When they’re not given enough detail, people tend to speculate.
• When disclosing an incident, say exactly what happened, how it
affects customers and partners, and what you’re doing about it.
• Every task is urgent when responding to a security incident, but only
IT Security can give corporate communications the details that will
let them write an accurate and informative statement.
• IT Security should prioritize conveying this information, alongside
their most urgent post-breach tasks.
• The success of Kaspersky’s and others’ crisis communication in
response to major incidents shows that even when cybercriminals
succeed, good communication can still win the day. And like many
things in business, it’s all about the planning.
• Why It Works
• Social engineering isn’t sophisticated. It doesn’t take a tremendous
amount of technical knowledge to be successful.
• Virtually every person has some aspect of their life online.
• Despite its abundance, lack of awareness means there’s no lack of
potential targets.
• When it comes to spear phishing, cyber criminals know how to
manipulate – preying on human behavior and emotions, creating a
sense of urgency, and personalizing targeted exploit can fool even
the most prepared individuals.
• Prevention Eventually Fails
• You clicked the link. It happens.
• Even people who look at security all the time
• That isn’t an excuse to throw vigilance out of the window, but it
does mean when it happens, you don’t need to beat yourself up.
• Acknowledge that your data is out there, it’s easy for bad guys to
get, and it’s time to reexamine your security program.
• When it comes to safeguarding your organization against social
engineering tactics, there are two parts to prevention:
Take the human decision-making out of the process
• Digital certificates verify a sender’s identity, assuring you, the
recipient, that they are who they claim to be.
• When you receive a text or email, stop and ask yourself “Is this
information I’ve put online?” Don’t be afraid to call and confirm the
communication you received is legit.
Implement a strong security awareness training program
• Don’t just check off the compliance box – make it specific and real
based on the tactics cyber threat actors are using (criminals,
hacktivists, and nation-state actors).
• Test our employees with targeted spear phishing emails – not to
embarrass anyone but to demonstrate how easy it is to find
personal information and as a reminder that no one is immune
from these schemes.
• This increases the risk to businesses as personal and professional
online activities blend more closely together.
• But you can implement security procedures that increase the
awareness among your employees and reduce the opportunities for
human error.
• You can (and should) develop a comprehensive incident response
plan that prepares your organization for a breach.
• And you can survive social engineering attacks when your security
program implements prevention methods but plans for if and when
prevention isn’t enough.
How can you spot incidents faster?
• To promptly detect threats, organizations need to have deep
awareness into where their data resides, how sensitive that data is
and who has access to it.
• They also need to be able to quickly spot and investigate suspicious
activity, so they can take action to mitigate threats.
Understand which data requires attention.
• You need to know exactly which data is more valuable and is
therefore a more likely target of threat actors.
• Data classification will help you understand which information is
sensitive and where it is located so that you can take appropriate
steps to protect it.
• Ideally, an automated solution will regularly check whether all
critical data resides only in secure locations and take steps to
remediate any overexposure before the data can be infiltrated or
encrypted.
Closely monitor user activity around data.

• The longer hackers can lurk undiscovered in your IT environment,

the more time they have to creep around, identify your most critical
files and steal them.
• A user behavior analysis and monitoring tool is critical to quickly
spotting both overt and subtle indicators of attacks, such as activity
outside of business hours, unusual data access patterns and failed
logon attempts.
• A solution that can proactively alert you about abnormal spikes in
user activity will enable you to respond to threats even faster.
 Have an actionable incident response plan.

• Finally, it is essential to have a detailed incident response plan and

regularly test it to make sure it works as intended.
• Ideally, this plan will include procedures for handling and reporting
incidents, as well as guidelines for communicating with outside
parties.
• Having a solid plan will help you take action more quickly in the
event of a security incident so you can minimize the damage you
suffer.
• If you want to revise your existing plan or create a new one, use
best-practice standards like NIST SP 800-61 r.2 and ISO/IEC 27035 as
a starting point.
• No matter how much the economic situation changes, prompt
detection and response to cyber threats must remain a core priority
for your organization.
• The ability to spot and address incidents in their early stages will
help you avoid data breaches and their unpleasant consequences,
including business downtime, lost revenue, costly security
investigations and fines from regulatory bodies.
• As a result, you can save your budget for mission-critical tasks that
will bring your organization value in the long run.
6 WAYS POOR CYBERSECURITY HURTS BUSINESSES

It May Compromise Your Inventory Management

• Proper cybersecurity is a must for excellent inventory management.

For example, use an inventory management software based on a
barcode system.
• It strengthens security and reduces the likelihood of errors that
could result from a manual system.
• That means it’s essential to take a holistic view of cybersecurity and
see its relation to your inventory.
 It could reduce your resources for growth

• A cybersecurity issue could cost your business hundreds of thousands

of dollars or more, depending on its severity and the process you have
to go through to recover.
• For example, ransomware is growing in popularity among
cybercriminals, who lock down access to your files unless you pay a
defined ransom.
• Then, even if you decide to pay the ransom, there’s no guarantee of
getting the data restored.
• Try to adopt a “not if but when” mindset regarding your cybersecurity.
• You cannot merely assume that hackers won’t target your company.
Put preventative measures in place so they won’t be successful.
 It Could Shutter Your Business
• A cybersecurity incident could leave you unable to access customer data
or take care of other essential parts of operations.
• Certain hospitals, after being attacked, have had to send patients
elsewhere or delay non-urgent treatments.
• Cybersecurity problems can be so damaging that they force companies
out of business.
• If you are a small business without a large staff, dealing with the
aftermath of a data breach could become so time-intensive that it’s not
possible to remain open as usual during the recovery period.
• A short-term closure that impacts your profits could become necessary.
• Having a crisis response plan in place is one of the best ways to limit the
likelihood of having to close down after a hack. Then, you’ll be able to
move into action instead of being overwhelmed.
It Could Put Your Organization at Risk for
Regulatory Fines
• There is a growing list of companies that have either been fined under the
General Data Protection Regulation (GDPR) or are being investigated for
possible penalties.
• The fines vary depending on the extent of the infraction, and some have been
the equivalent of hundreds of thousands of dollars.
• If your company interacts with customers within a country operating under
the GDPR and you don’t have proper cybersecurity measures in place, you
could be fined by the respective privacy regulator after a data breach happens.
• Also, even if you don’t do business in a country that’s bound by the GDPR,
keep in mind that other privacy regulations are coming down the pipeline
soon.
• One of them is the California Consumer Privacy Act (CCPA), which goes into
effect in 2020.
• It’s ideal to remain educated about what your company needs to do
to stay in compliance with any existing or upcoming privacy
regulations.
• Keeping your knowledge current should cut down on the chances of
a fine.
• Also, research to see whether there are special privacy precautions
for your industry.
• For example, the banking industry has specific rules (PCI) for
handling data, and the same is true for companies that process
payments.
 Insufficient Cybersecurity Is a Costly Problem

• Modern hackers are incredibly skilled at orchestrating large-scale

hacks and finding their next victims.
• Companies with numerous vulnerabilities and little to no protection
in place are among their favorite targets.
8 Most Common Cybersecurity Weaknesses to Watch for in Small
Businesses
• Lack of a high-level strategy. Many businesses, especially new and
small ones, simply lack a high-level strategy for their cybersecurity
needs.
• They don’t have any security infrastructure in place, either because
they don’t take the topic seriously or because they deem it a
comparatively low priority.
• However, this high-level strategy that sets the course for your main
security priorities and your general approach to preventing and
mitigating attacks is vital for success.
• Unsecured networks. If the network isn’t secured, it’s trivially easy
for nefarious parties to gain access to your system.
• And once they’ve infiltrated the network, they can gain access to
practically all devices and systems connected to that network.
• This is a simple step to take, but it’s one that many business owners
still neglect. It’s also a great opportunity to demonstrate your
expertise.
• Unsecured communication channels.
• If the business is regularly exchanging sensitive data, it’s also
important to incorporate secure communication channels.
• For example, you might invest in an encrypted, secure email
platform that you use to communicate directly with clients.
• Or you might establish protocols for using multifactor
authentication when sending certain types of messages.
• Unknown bugs. Sometimes, a bug or flaw in a given app can be
responsible for giving cybercriminals an easy backdoor to your
accounts.
• This could be an aspect of software you’re using from a third party,
or it could be a flaw in the API that connects two different apps
together.
• It’s impossible to prevent or detect all bugs, but you can improve
your security by proactively scanning for bugs when possible, and
examining your vendors carefully before choosing them for your
applications.
• Outdated systems.
• Fortunately, most software developers and hardware manufacturers
are constantly on the lookout for security threats that could hurt
their users.
• When they find a problem, they issue a patch to eliminate that
problem—but to make use of this patch, you have to update your
hardware or software.
• If the business is using outdated systems because it isn’t updating
regularly, the business could be at risk.
• Untrained employees.
• Close to 90 percent of data breaches are caused by human error.
• Instead of some ultra-skilled hacker brute-forcing his way into your
system, an employee volunteers his password after getting duped,
providing an opportunist an easy way to gain access to the
business’s data.
• That’s why untrained employees are one of your biggest
vulnerabilities.
• It’s vital to train employees on best practices in cybersecurity, like
teaching them to use strong passwords, helping them identify
different types of attacks, and giving them instructions on how and
when to use networks that aren’t theirs.
• It’s also important to retrain employees regularly, and make sure
they’ve retained this information. All it takes is one slip from one
person to jeopardize the health of the entire company.