We talk a lot about handling the initial car crash of a breach. What to do first, the comms that need to go out and the reporting to regulators. This all happens within the first few hours or days of a breach being discovered.
What about after that?
Last week I ran several cyber crisis exercises. The CMTs (Crisis Management Teams) for both companies were excellent at handling the initial fallout of the breach, containment and emergency comms. Where people so often struggle is what happens after that. Let’s say you’ve “weathered” the storm. You have control back and have ensured the attackers are no longer in your network.
That’s not where the work ends for the CMT.
In fact the next stage is by far more challenging. The CMT form the strategic team in a crisis.
After that initial response we have to consider questions such as:
How do they prioritise what systems and services to bring back online first?
What dependencies are there and how do you explain that to them?
Are there certain clients that have to be prioritised over others?
It’s easy to say “bring everything back. We need it all” but in what order? No company has infinite resources. One thing a crisis always highlights is we need more money and more resourcing. Every decision we make will have a consequence on something else. If you don’t map this out in advance you can end up in a sticky situation.
Priorities can be worked out ahead of an incident. So many difficult discussions and decisions can be predicted and planned for. This makes your decision making faster and more accurate. Plan these things before you need them. Help your CMT practice the plans and be in a better position should the worst occur!