The 19th century German field marshal Helmuth Von Moltke is famous for having made remarks about the value of planning that continue to resonate today. "No plan of operations," Moltke said, "extends with certainty beyond the first encounter with the enemy's main strength." You may be more familiar with this notion in its more popular contemporary form: "No plan survives first contact with the enemy." Either way, in today's socio-economic environment, in which practically everything has been digitized (or soon will be), it's an idea we would do well to remember in the context of cyber security.
Why? Because shifting work paradigms—in particular, the accelerated move to remote work at organizations of all shapes and sizes brought about by the COVID-19 pandemic—has increased cyber risk across the board. Attacks are very much on the rise, a fact that has put cyber preparedness at the top of many organization's priorities.
But if no plan survives, what's the point? Easy: the planning itself.
In terms of cyber security specifically, preparedness typically involves increased investment in detection, preventive technologies and solutions; awareness training for employees adjusting to new remote work habits; and adapting procedures to the 'new normal.' Practicing and training technical response capabilities and procedures, as well as executive communications that deal with and navigate a cyber incident, are similarly critical.
Now, let's be clear: certain things can be planned for and practiced prior to a cyber incident. The reason I've invoked Moltke is that other aspects are far less predictable—and these are often the most crucial. Maybe they're unique to your organization, your sector or your geography and might therefore require an approach that cannot be fully anticipated. Whatever the case, the areas in incident response that can be planned constitute a framework the organization can follow to respond in a structured and focused manner. But the framework itself depends on a certain amount of agility and flexibility for the response to address not only the unique nature of the breach but also the attack vector and the organization's technical and procedural response composition.
Some cornerstones an organization should consider implementing when preparing their cyber incident response plan include:
Regardless of how thorough your organization's response plan is, it will never guarantee total preparedness, as every incident is unique. And given that they aren't very likely being exposed to breaches constantly, an organization's response team often lacks critical experience and expertise. Having an agile and flexible response plan and an experienced team on standby will help to mitigate any incident in a timely manner.
In this context, technical and executive (communication-focused) Tabletop Exercises are commonly used to prepare for the 'inevitable breach,' and I'll have more to say about them in my next post.