Best Practices for Managing Cybersecurity Incidents

Plan, practice the plan, and prove the plan. In a recent Community Bankers Webinar Network webinar, John Moeller, Principal at CLA, asked “If we’re not prepared for the types of incidents that are going to happen, shouldn’t we spend time preparing for a breach so we can detect it that much quicker?” A great deal of time can pass before a network breach is detected, so when it occurs your bank needs to ensure it is ready to respond quickly.

Have a plan. Develop an incident response plan that includes the appropriate procedures and points of contact, and be sure to keep the plan up to date. Establish relationships with key incident responders such as your cybersecurity insurance, breach counsel and attorney(s), forensic providers, and public relations team.

Practice the plan. Like all emergency procedures, your plan in the case of a breach must be practiced. Your bank can practice by holding tabletop exercises — simulations where participants walk through the incident and response procedures. There are both technical and management tabletop exercises, which should be conducted annually. “Look at all aspects of the tabletop exercise. As you’re looking at tabletop exercises include your business processes, your data and information, tools and technology that you use, and include the organizational structure. The people, tools, processes, and data.” recommended Mark Shaffer, Cybersecurity Manager at CLA. Other tests to practice include spear-phishing tests and Red Team penetration testing.

Prove the plan. John stated “Proving the plan works in the areas where you feel you have the most risk.” Low visibility into IT infrastructure means a lack of forensic evidence to determine which system or data hackers accessed. Conduct trial forensic exercises to ensure proper data and visibility.

John and Mark’s webinar, Maximizing Cyber Security Soundness & Minimizing Incidents, also covers real-world cybersecurity threats, the evolving regulatory landscape, how to identify and monitor cybersecurity events, and mitigation strategies to manage ongoing risk.