Ivan near peak intensity west of Jamaica on September 11, 2004. NASA image courtesy Jacques Descloitres, MODIS Land Rapid Response Team at NASA GSFC. Public domain, via Wikimedia Commons
It's 1 July and the official start to Hurricane Season. Most organizations will have been reviewing and hopefully testing their Business Continuity and Disaster Recovery (BCDR) procedures. Annual BCDR exercises are generally considered a sound practice - for events that have a predictable timeframe and ample leadtime.
But what about a cybersecurity incident/event? Can these not happen 24x7x365?
How often do you test your cybersecurity controls? Are your tools and policies actually effective? Are there any gaps?
How often do you test your technical incident response plan? Do all of your staff understand and can they fully execute your incident response playbook?
How often do test your procedural incident response plan? In the event of a material breach, does your organization know who (regulators/customers) should be notified? Do you know how they should be notified? Do you have a statement prepared in advance?
Do you see the issue? The overall risk of a cybersecurity incident is substantially higher than a hurricane and yet most organizations don't devote as much effort and resources to preparedness.
The following approach works well for most customers.
- Quarterly Security Validation - This focuses on your technology implementation (e.g. AV, IPS, EDR, policies) and consequently also tests your technical incident response plan.
- Annual Tabletop Exercise - This focuses more on your business level efforts i.e. management and board of directors and should also include members of your legal, communications, and communications teams.