If there was a cyber attack on your business, would you know what to do? No, not would your IT guy know what to do. Would you know what to do?
That’s a question that Deloitte, one of the world’s top security companies, asked at a recent “cyber-incident war gaming” session held in New York, as reported by PC World. For seven years, Deloitte has invited business executives to their war games to help improve readiness for a cyber attack.
This year, they tried something a bit different:
With massive corporate hacks fresh in the minds of the public, Deloitte’s war games sought to give their educational program a global feel. While it’s absolutely critical that your IT staff are able to respond immediately to a cyber attack, some of the most important parts of your response will happen away from your IT office.
It’s a Company-Wide Problem with Company-Wide Solutions
One of the biggest problems with the way most businesses respond to cyber attacks is they think of it as an IT problem. Deloitte decided that this year was the perfect opportunity to demonstrate just how wrong that philosophy is.
Taking their cue from the Sony, Target, Anthem and Home Depot hacks, Deloitte designed this year’s war games simulation around an entire company. A fictional retail chain called Your Living suffered a massive cyber attack. Purchase histories of two million customers had been posted for sale online. Sales were dropping, competitors were swooping in, and the media was issuing daily barrages of bad PR.
Not a good scene.
Yeah, it was pretty much like that.
War Games and the “Your Living” Hack
The seven participants were put into roles as Your Living executives, assigned with different tasks in cleaning up the mess from the attack. While they had to find out how the information was leaked and fix the problem, a host of secondary issues needed to be addressed as well.
The participants had to prepare a media response to the hack, as well as a plan for contacting all the affected customers. They had to create a plan for utilizing social media outreach, and had to prepare an entire training system for Your Living employees to communicate how seriously the company took the breach, and reassure the public that they were taking all necessary steps to remedy the problem.
On a different front, the participants had to deal with business partners, merchandise manufacturers and banks, in order to prevent litigation against Your Living. Steps to rewrite the company’s business projections and inventory to factor for the anticipated slump in sales needed to be taken. That required estimating how badly the hack had affected the company’s image.
Most importantly, they had to prepare a response to the board of directors and angry shareholders explaining the hack.
Yep, they own some stock. They’re pissed. And they’re just begging you to say “what” again.
You tired yet? One more element was added. Since these responses have to happen quickly, the participants were given incomplete information on which to base their decisions.
What is your law firm’s cyber attack response plan? Do you have one? Do you know who is in charge of handling a response? I’m not talking about your IT Manager (praying you have one), I’m talking about the designated person in your company who makes the decisions about contacting the authorities, deciding what information to keep, what clients to contact. The person who approves all of the crucial steps.
Are you prepared?
Do you know who that person is? Good. Now who do you turn to if that person is out of town?
You have to know all of these things. You have to be agile, able to respond to a cyber attack on all fronts. Not only do you have to find the damage and fix it, but you have to be equipped to handle everything that comes after.
The first part, your IT representatives will be able to help you. It’s unlikely they’re going to be able to deal with the latter.
In the end, nothing will make sure that you’re better equipped to handle the effects of a cyber attack than the right preparation. You need to have response plans in place, with detailed instructions for your employees to follow. Conduct trainings so that the first few steps can be done without even looking at the plan.
For more information on how to make sure your law firm is prepared in the event of a cyber attack, look for my Cyber Security Policy white paper being published by Clio in the near future!