In theory, responding to a data breach should be straightforward. Alert all affected, communicate next steps, and then make plans so that it doesn’t happen again. But it doesn’t always work out that way.

Apologies for picking on Yahoo and Target, but as an example, both companies failed at incident response. In September 2016, Yahoo said that data associated with 500 million user accounts was stolen two years earlier. In December, the company disclosed that another 1 billion accounts were hacked in 2013.

Yahoo was criticized by Congress for taking too long to report the breach. Then, as it’s been widely reported, CEO Marissa Mayer is in the hot seat, the company’s chief counsel resigned, Verizon’s $4.83 billion acquisition of Yahoo is delayed and the price lowered by $350 million.

Target was also a poster child for suffering a massive data breach and having a less-than-stellar response. When it comes to data breach response, open, honest/accurate and timely communication is key. But Target didn’t even break the news to its customers; cyber journalist Brian Krebs did.

“Yes, there have been several prominent and highly visible cyber attacks, but the threat is, and has always been, there,” says Jake Williams, Founder and President of Rendition Infosec.  “It’s not a matter of if there will be another attack, it’s just a matter of when.”

I recently spoke with Williams, who offers five tips to help get companies ready to respond when the next attack occurs. Because effective incident response is difficult, and most organizations fail when it comes time to perform.


1. Build a Playbook.

An incident response (IR) playbook includes step-by-step processes for everything you do in an incident response, broken down by task area. The IR playbook should include specific instructions for performing incident response in your environment with your tools. Consider two football coaches – one coaches a little league team and another coaches a professional team.  The most optimal plays for both teams are fundamentally different.  While the little league coach knows that a sports medicine specialist would ideally help a player with a muscle cramp, there is little benefit in putting this in the playbook if there is no such specialist available.  Your playbook should contain only information about the tools and skills you have available on your team.


2. Obtain System Baselines.

During an incident, system baselines are worth their weight in gold. They help incident responders understand what normal looks like so they can focus on only the new processes, drivers and registry keys on a system. We often analogize an incident to lighting up a dark basement for the first time. To a stranger, there may be many potentially scary sights when the lights come on, but to someone who knows this basement well, there is nothing to be afraid of.  More aptly, because they know what it is supposed to look like, they can focus only on the things that appear out of place.


3. Incorporate Non-Traditional Staff.

Some team member roles, such as “network forensics expert” are obvious inclusions on an incident response team.  However, some team roles are less obvious, to include legal counsel, PR and business unit leaders. PR and legal will need to be involved if the incident is made public, so engage them from the beginning. And business unit leadership is critical – after all, you are here to support the business (not the other way around).  Bring in business unit leadership early to understand how proposed incident response activities will impact their operations.


4. Use Tabletop Exercises Liberally.

Tabletop exercises are simulations where an exercise leader walks the IR team through scenarios using a series of injects. Some military types might know these better as war games or sand table exercises. The purpose of the tabletop exercise is to ensure that the staff are ready for situations that they may not have previously encountered. Unlike a traditional incident response, the staff will not actually perform all the actions of the incident response, but rather assign resources to handle issues and verbalize tasks. A well-trained IR staff can walk through one or two full incidents in a single day. Most IR teams should perform at least one tabletop exercise per quarter, and ideally once per month.


5. Learn to Speak Business.

Each business has its own language, and incident responders need to learn the language of the business. There is no doubt that the responder should know more about incident response than the business, but that is often not the perception when obscure technical jargon is used to “communicate.” IR should listen to how the business leaders communicate with one another and use the same language. People like people like themselves, so mimicking the language patterns, euphemisms, and vocabulary of the business leaders is a surefire route to success.

Are you ready?