Right of Boom – Planning for Post Breach
11 October 2017 | 10:47 am
At this year’s (2017), International Information System Security Certification Consortium (ISC2) Security Congress, we heard a keynote from Juliette Kayyem. She is the former Assistant Secretary for Intergovernmental Affairs at the Department of Homeland Security under the Obama administration. She not only talked about the importance of being prepared in order to stop attacks, but also being prepared for what she called “Right of Boom.”
Right of Boom is what you do after an event (attack or mistake) has occurred, whether it be a bombing like the Boston Marathon, a mass casualty event caused by system malfunction like the BP oil spill, or a cyber incident. The event is the Boom and what comes next is Right of Boom (picture a timeline).
This article is focused on Right of Boom planning for cyber security and whether you are an executive responsible for security and/or IT or an executive outside of this area (CEO, COO, CFO, CMO, etc.) this matters to you because at the end of the day it could mean the survival of your business.
You can plan all day long to stop a cyber attack or incident through vulnerability and risk management, good secure coding practices, and security awareness training, but you can’t stop it all. There will always be an attacker one step ahead at some point in your journey, whether because they just have more resources and time than you do, or one of your employees simply makes a really big mistake.
Since you can’t stop it all, you must plan for Right of Boom, what you do after the attack, which will be the difference between staying in business and maintaining a good business reputation, or going out of business. Even if you don’t go out of business, the way you handle Right of Boom could be the difference between a few million dollars spent in recovery and notifications and a few billion dollars spent.
Planning for Right of Boom means that you don’t just focus on a defensive approach to stopping attacks, misuse, and errors, all of which can have a catastrophic effect. You also ensure that there is proactive planning, testing, and more planning on what you do after something goes wrong. It’s not a matter of if something goes wrong; it is a matter of when.
Too many organizations are notified of a breach by a third party and oftentimes months after the breach happened. That means months have gone by with an attacker in your network doing what they want, collecting the data, and using it for their own benefit. It’s never good news when you are told by a third party that you have been hacked and that you have been leaking company and customer data for months. And with the average cost per stolen record of $141 based on the 2017 IBM Cost of Data Breach Study, imagine how much that can cost your organization not to mention the loss of customers and reputational trust.
The cost of that cleanup is much less for an organization that can detect a breach in near real time especially if they know what to do upon identification of the incident, i.e. if they have a Right of Boom plan. It means less data loss (if any) and more time to properly clean up the incident, as in get the servers working again with the vulnerability fixed and bad guy out of the network with minimal disruption to the business.
The only way that proper Right of Boom planning and response is possible is if your organization takes it seriously. Do you have a security team that is empowered to create Right of Boom response scenarios and test them? Do you have a security team that has the resources to identify a suspicious event, whether it be malicious or accidental? Do you provide training for your IT and user community to understand their role in Right of Boom? Do you have third parties on retainer or whom you can call that are specifically trained to help you contain and investigate an incident?
These are just a few critical questions to ask your security team. If you have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) they should be part of the C-Suite discussion on Right of Boom. They should have the resources they need and be tasked with and empowered to help ensure a Boom does not put your organization at great risk… or even worse, out of business.
If you do not have a CISO or CSO it’s time to either hire one or find a virtual resource that can help you on an as-needed basis with strategy planning around topics like Right of Boom. If you have questions about this or about finding a resource email firstname.lastname@example.org to discuss your specific situation and needs because security is what I do and I want to see your organization prepared.