They’re also testing their plan more often, with 80 per cent of Australian organisations surveyed saying that they test their plan at least quarterly.
However, Thomas King, Head of Cyber Security Products at Telstra, says that there’s significant variance in the quality of these plans and specifically, the likelihood that they’ll be followed during an actual crisis.
“When I first saw the results, I was sceptical,” says King. “Three in four companies having a plan is great, I think the amendments to the privacy legislation have made companies feel like they need one. But from what I’ve seen in the market, I don’t think 76 per cent of companies have a plan that could be followed throughout a real incident.”
He attributes this to the difficulty many security stakeholders have securing the time and attention of time-poor executives, as well as tendency for today’s businesses to change faster than their plan can be updated.
“Generally, the better the plan is, the more closely it will be followed. It's just natural for you to follow it because it's the easiest way to actually manage the incident. However, if a plan doesn't reflect the organisational culture and how the organisation operates in a crisis, of course, then it is far less likely to actually be used.”
Find out more about our 24x7 Incident Response retainer, which gives you priority access to Telstra’s highly-skilled and experienced Computer Emergency Response Team.Find Out More
Make it real
One of the most effective ways to engage people who don’t share security in their core remit is to contextualise the plan’s importance to protecting things they do care about.
“The most effective rehearsal for your incident response plan is a real incident,” says King. “If you don't have a real incident to test, then generally a simulation is the next best bet. That simulation can be anything from a tabletop activity, where you get an example scenario and maybe third-party facilitation, to actually run through that scenario.”
He suggests starting with the potential threats to the “crown jewels”, such as a critical compromise of personal data such as healthcare records or financial transactions, or an interruption to key operations, which could be anything from a ransomware outbreak, or the compromise of industrial machinery.
“If you can make that real, with real examples for executives, that will generally get their buy in because they will understand that you are talking about something near and dear to them and something that really is of direct relevance to the success of the business”Thomas King, Head of Cyber Security Products, Telstra Enterprise
“If you talk about it in esoteric terms, and make it too technical, then you'll lose them. If you can make it real with real insights and reflect real business practices and priorities, you will get executive buy in and you will get their attention.”
By contextualising an incident response rehearsal in core business priorities, or even combining it with a simulation of a general emergency you can also identify “perfect storms”, where external circumstances could complicate your security response and devise ways to overcome them.
While this can be orchestrated by personnel within the company, it can be more effective to bring in external specialists who can serve as a more effective “red team” by exposing flaws in the plan created by assumptions shared within your organisation.
Include the supply chain
In 2018, it’s not enough for your incident response plan to incorporate just your organisation – the proliferation of mission critical data, such as HR or financial records, into cloud services increasingly means that vendors need to be included too.
“You do need to understand how those services are provided or how you will work with those service providers should you have an incident. How will you get information from them if they have a breach?”
King says this is particularly important in light of the short customer notification deadline that recent security legislation gives businesses.
“I think GDPR is the gold standard in this space with its three day reporting. Three days essentially means if you're a business that works 9 to 5, and an incident happens on a Friday night, you're going to have to be literally reporting within a few hours of you finding out about it on Monday,” he says.
“Across the industry, the time it takes from when the incident is first detected until we can talk to our customers needs to be shortened.”
Regularly testing the lines of communication your organisation would use in case of a crisis is a good first step, he says, to ensuring they remain clear and responsive in case of a real data breach.