The World's Forum for Aerospace Leadership

  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    Incident Response

    Incident Response

    Responding When a Cyber Incident Eventually Happens


    Despite information sharing, defensive technologies, and employee training, some cybersecurity incidents still happen. Given enough time and resources, an insider or external hacker will find a vulnerability and exploit it. When that happens, every organization must be prepared to respond. This requires not only the information security team identifying what happened, repairing any damage caused, and preventing it from happening again in the future, but also the careful coordination of many other business units. This feature will consider what that whole-of-enterprise response should look like and what you as an employee can do to aid in the quick and efficient response of the organization.

    Coordination and Accurate Information ARE Key

    When a compromise is first disclosed, there is typically an immediate rush to say something, anything, that will alleviate negative headlines or reassure employees, clients, customers, regulators, and investors. First, the organization needs to ensure it has a clear understanding of the facts of what has happened, what is and isn’t known, and a timeline for acquiring and releasing information. To do this well, it must get the right people together to coordinate and manage the crisis.

    Internally, the organization should know who is in charge of the overall incident response. This may be the chief executive officer, chief operating officer, or other high-level executive. This person is responsible for convening the heads of human resources, general counsel, information security, communications, investor relations, and any affected business units to ensure that everyone has the same information and is coordinating. While some of these groups are naturally disposed to focus on consequences for their own constituencies, it is crucial that everyone is heard and everyone’s equities are understood. For example, regulatory requirements may put deadlines on when and how customers or regulators themselves must be notified, regardless of whether the forensic investigation is completed or not. Further, not every external party should receive the same information. Investors will have different needs than customers, but may read the same public statements. Therefore, information should be consistent, but tailored for the appropriate audience by those who know that audience best.

    The best time to coordinate these concerns is long before an incident takes place. Keeping lists of contractual obligations, regulatory obligations, and key contacts with major customers and vendors can minimize well-intentioned but incorrect or inappropriate information from being shared. Cyber incidents will impact different parts of the business disproportionately, and understanding the likely consequences in advance can help balance these interests.

    In some of the most well-known breaches, well-intentioned companies put out incorrect information because they did not have all the facts. Target, after its major credit card breach, revised the number of impacted customers repeatedly, harming their reputation and ultimately contributing to the chief executive officer and chief information officer resigning from the company.

    Don’t Forget about Employees

    One group frequently overlooked in incident response are the employees. It can be scary when your organization ends up on the front page of the newspaper, particularly when something has gone wrong and unidentified information has been stolen. This may include intellectual property, personal information, and years of work product.

    For executives, providing information and guidance to employees about the incident and ongoing activities is crucial. A forum to ask questions may provide important insights into their concerns and those of the public and an opportunity to get perspectives on consequences and impacts from around the organization.

    For employees, it is important not to aid the flow of misinformation and rumor inside or outside the organization. Reporters may call employees seeking information about responses, messages, historical information, or anything that may help them confirm a fact in their story.  For example, when Home Depot was hacked, stories emerged from former IT security employees that budget requests had repeatedly been turned down before the breach happened. 

    For insider attacks, there may be also be unusual internal activities such as reviewing personal files, emails, and interviews to try and identify anomalous activities. At these times, it is important to ask relevant questions but not make the incident response more complicated or cumbersome by sharing inaccurate or private corporate information.

    Practice, Practice, Practice

    The best way to prepare for the uncertainty and challenges associated with incident response is to practice. Information security teams frequently run drills to practice the skills associated with identifying, diagnosing, and fixing various cyber incidents. At the executive level, interdepartmental exercises are also valuable and are too rare. These drills can assess the preparedness, identify further areas in need of discussion, and bring together disparate parts of the organization to prepare for a cyber incident.

    These cyber incidents should also include business units, sales, and other components of the organization that may have unique skills to provide in the event of a crisis. For example, sales teams frequently have the best relationships with customers and know the appropriate point of contact and their concerns in the event their business is affected. Additionally, business units may have keen insights into how particular cyber incidents will affect their existing and future business. Bringing these voices to the table in advance of a crisis will improve the response during a real crisis.

    Ultimately, incidents will happen to every organization. How an organization detects and responds to the incident will affect the experience of employees and customers as well as the severity of the consequences for the organization.