Even if organisation-wide awareness campaigns are occurring, non IT/Security staff are usually getting on with their normal business without understanding the context and how their daily work might incorporate IS risk. Until an immediate trigger (e.g. a real-life cyber incident blocking their data, network or application access) occurs, they don’t even think about all the IT security related issues that could affect them. Often, information (including cyber) security related procedures only get written or refreshed for audit or other compliance related purposes. And if staff can avoid being involved, they usually will.
The problem actually starts much earlier than that. CISOs and IT Security staff tend to work in a solitary way, or mainly involve those in an organisation who already have a technical role. At best, they may try to have some dialogue with senior management to provide confidence that the risks are managed and ensure the top can go to sleep at night.
It is often challenging to get buy-in, time and attention for IS from middle management and the general workforce who are busy ‘doing their job’. And that’s where the ball stops rolling in many Cyber Incident Response Planning initiatives.
The result is that mountains of documentation may get produced (including detailed preventative and impact-reducing controls for a range of information security incidents such as ransomware, DDoS attacks, malware, phishing and social engineering), but these are either written very much generically, e.g. using a standard template ‘downloaded off the Internet’.
More ‘fit for purpose’ style documentation is preferred, but this is often invested in just once and then easily gets out of date. If a real incident occurs, most staff are oblivious to the incident (or confused), thereby increasing the chance of worsening the impacts. They don’t know their role, what to look out for, what treatment options to activate and/or who has the authority to give them instructions. In a nutshell, they’re far from ready.
These problems stem from the following six mistakes...
1. Only the CISO, IT and/or IT Security staff are fully aware of the plan and these individuals become ‘single points of success’ without the broader workforce being ready at any time for an incident. Little or no integration exists with broader incident management and/or business continuity planning processes. Or worse, the entire plan has been written by an external party who haven’t aligned it with your organisation’s processes, structure, priorities and culture.
2. In addition to over-dependency on a few internal Security skilled individuals, there tends to be an over-reliance on (and over-confidence in) external Cyber Incident Response (CIR) providers. Will their contractual promises and Service Level Agreements (SLAs) survive a substantial influx in demand for their services if many of their clients are affected by the same incident, such as an industry-wide ransomware attack? Have you discussed with them how they might juggle their various clients’ needs for help and where you are on their priority list? Taking legal action to address their non-compliance and getting compensated weeks or months after the event won’t help you to maintain proper service levels and relationships with your own clients - and your reputation in the marketplace.
3. Complicated and jargon-filled procedures sent by IT (Security) staff to business divisions and expecting their staff to understand and adopt them without proper guidance. Staff within the divisions are often unclear about their role in the plan and the purpose of some of the treatment options (e.g. password change policies,