1.       CYBERSECURITY IS A TEAM EFFORT

In many organizations, cybersecurity is still believed to be an IT issue only. This perception is simply wrong. When cyber incidents occur, they affect a wide range of departments within organizations and require their immediate responses. The departments listed below should have clear processes in place to respond to any potential cyberthreat. Their involvement before (prevention), during (response), and after (conclusions) a cyber incident is crucial to strengthen cybersecurity.

The Legal Department – when it comes to cybersecurity, it is always good to have an attorney by your side.

• The legal department role includes drafting internal policies, procedures, and contractual provisions regarding discovery, investigation, remediation and reporting of breaches. The goal here is to minimize any legal damage that could result from potential data breaches.
• It also includes investigating incidents to determine the scope of a breach, and analyzing requirements under applicable laws and regulations. 
• Cyber incidents may expose companies to lawsuits from customers whose personal details are compromised.  At the executive level, directors are also liable for breach of fiduciary duty and duty of care, which are both binding obligations.
• The cyberattack at Target in 2013, and resulting lawsuits, are striking examples of heavy legal consequences resulting from cyberattacks.  As a reminder: in November and December of 2013, Target Corporation suffered one of the largest cyber breaches to date. The breach resulted in personal and credit card information of approximately 110 million Target customers being compromised.  More than 140 lawsuits were filed following the breach (1)

Human Resources (HR) – what is the connection between HR and cybersecurity you might ask?

Well, the HR department:

• Works with the most sensitive personnel data. While this information is a goldmine for attackers, it is often left unprotected and vulnerable to attacks.
• Ensures that new employees have not brought any sensitive data or information with them from their previous places of employment – or conversely, ensures that former employees no longer have access to their online accounts as soon as they leave their positions.
• Plays a vital role in communicating risks and lessons learnt from previous cyber incidents.
• Helps the IT department develop and disseminate security procedure guidelines across the organization.

Communications/Media – The way a company responds to a cyber incident, along with its communications with those affected by the incident, can greatly affect its success in retaining customers.

• According to a recent survey(2) 29% of existing customers would discontinue relationships with the company after a data breach.
• The General Data Protection Regulation (GDPR), which will become applicable in the European Union in May 2018, reinforces the need for transparency and efficient communications.  In a GDPR-post world, companies will be legally obligated to disclose sensitive information regarding cyber incidents on their systems, within 72 hours. Therefore, IT and communications teams should have processes in place to ensure the quick response required by the GDPR.

C-level – It is a well-known fact that C-suite executives are responsible for mitigating business risks, while IT delivers the technological support that drives the business.

• In today’s hyper connected world, it is almost impossible to separate business from technology.
• The threat of cyberattacks is now just part of the day-to-day reality of doing business, therefore it is critical to include the C-suite in incident response and table-top exercises, so they fully understand their roles, as well as the potential cost of an attack.
• Having firsthand experience of an attack, even a simulated one, means the C-suite will gain awareness, which is vital to driving a top-down security-focused culture.

2.      CREATE A HUMAN FIREWALL

When it comes to cybersecurity, your employees are the first line of defense. It is everyone’s responsibility – from board members, to the secretary sitting at the front desk.  To create a cybersecurity culture in the organization, the following values should be emphasized : 

• Awareness – The focus will be on uninformed users who can do harm to your network by visiting websites infected with malware, responding to phishing e-mails, postponing software update and data back-up, storing their log-in information in unsecured locations, or even giving away sensitive information over the phone when exposed to social engineering. Employees must be aware of those various risks, and trained to respond accordingly.
• Readiness/Cybersecurity Drills – A fire drill is a practice of the emergency procedures to be used in case of fire. Why not practice the emergency procedures to be used in the case of a cyberattack? Make sure to practice cybersecurity drills with different scenarios and in a timely manner to identify problems, and have processes in place to respond efficiently in the future.
• Training – your employees should be trained to understand the concept of “cyber risk exposure”, and become familiar with the many ways attackers can exploit information they gather. This includes a wide range of risks, from reconnaissance efforts to targeted attacks. Training should not be theoretical, but rather use real life examples.

3.      HAVE A CYBER INCIDENT RESPONSE (IR) PLAN READY 

• When it comes to the incident response plan, the first step is to define what an incident is. By doing so, the process of deciding whether to act upon a threat or not will be much easier and will improve your IT team effectiveness.
• Assign roles – make sure the relevant employees are aware of their roles and responsibilities. Those roles should include:
  • an IT manager to monitor the evolving situation and update relevant teams accordingly;
  • a decision-maker to approve the response plan;
  • a coordinator to lead the communications between the different departments;
  • a technical writer to make sure everything is documented.
• Learn your lessons – Based on the above-mentioned documentation, decisions should be made, processes should be defined to effectively respond to cyber incidents.
• Involve different departments – A successful, well-drilled, IR plan requires excellent internal cooperation across the organization.
• Measure your success in handling the event by defining key performance indicators (both qualitative and quantitative) – For example: how much time should it take to identify the threat? What is the timeframe to report to affected customers?  
• Do not wait for the next cyber incident to pull out your IR document. Perform periodic cybersecurity drills to test your IR team, your processes and procedures, and update them accordingly. 

In conclusion, before investing in a cybersecurity product, remember two key tips:

Cybersecurity requires first and foremost a change in your company culture.
The aftermath of cyberattacks are always more expensive than preventing them.