While breaches are an inevitable part of doing business, you can limit the negative impact by developing a solid playbook that charts a course to recovery. Examine potential threats, work out how to handle discrete scenarios, and spell it all out for your employees. By compiling policies and work streams, assigning responsibilities, and setting expectations you can build real resilience.

Cool heads prevail in a crisis, and nothing curbs the spread of panic as well as a clearly delineated plan. But it’s not enough to craft a playbook, you also need to test it before it can serve as a critical piece of governance for your organization. Let’s take a closer look at the best way to go about developing a playbook.


Identify risks with everyone round the table

Start with a series of risk management flows to identify the top three risks for your organization. Evaluate the impact of various types of breach. Hold a workshop with the leadership team and ask them what would stop the business from functioning. Tease out the relevant issues and nuances. The leadership team probably won’t initially be in sync on which things represent the greatest or smallest risks.

Once you’ve identified the top three risks, educate the entire board so they're all on the same page. But remember that this needs to be a constantly assessed process. If your business changes in any way, for example, you suddenly start trading in another geographic region, you need to get back around the table and decide if the change in your business behavior impacts your top three risks.


Target the known unknowns

The most common things that we don't know about are devices, user accounts, and applications. They're the things that appear outside of IT provision. Focus on these three areas when you're assessing the groundwork for your cyber breach playbook.

The use of personal devices is commonplace, particularly now with the rise of remote working. Even when IT has not provided access to a cloud-based app, people can download it. We know that unsanctioned applications spread like wildfire through organizations. Failure to immediately close user accounts after people leave an organization is alarmingly common. Excessive access privileges and even admin rights for users that don’t require them can be downright dangerous.


Breach detection is vital

It may be an unpalatable truth, but for most organizations it’s safe to assume not only that data breaches will occur, but that they have already occurred, and simply haven't been found yet.

Start with the assumption that you may have viruses and malware planted on some of your systems. Do a full technology sweep to understand everything and be mindful of the fact that a breach may already have happened. You can spend a lot of time and effort on crafting an excellent response plan for a breach, but if you can’t detect that breach swiftly, then you’ll always be dealing with the worst-case scenario.

Consider a network monitoring system like Citrix Analytics. It looks for the early warning triggers that someone is trying to establish ransomware and stops it. You need software that can detect anomalous behavior and abnormal activity on your network. You need the ability to detect large volumes of data egress. If you can’t recognize risky activity in real time, then you'll always be playing catch-up.


Lay out roles and responsibilities

Managing messaging in the heat of a breach is extremely challenging, so it pays to work it out beforehand. You also need to prevent unauthorized messages. The last thing you want is a staff member posting that a breach has occurred on social media before you’ve assessed what has happened, because the damage of that perception will be immediate, and queries will flood in.

Page one of your playbook should define who does what. Unfortunately, in times of crisis, everybody wants to start getting involved in other people's business. A tightly managed and structured scheme is vital. You need prewritten communications messages to put on your website, circulate to your staff, and shared with customers, business partners and third-party suppliers. Having a predefined communication plan laying out who writes, authorizes, and delivers messaging, will project confidence, strength, and competence.


Craft clear workflows

When you think you’ve had a breach there’s an initial triage that must take place. First, you need to validate that it’s real -- mistakes and hoaxes are common. Once you’ve established that you indeed have a breach, you should mobilize the full incident response team. A cyber breach playbook explains best practices so you have a consistent way to approach things; it’s a repeatable framework with work streams that tell you what to do at each stage, and what to then wait for while you continue to investigate.

Having a clear plan ensures that nobody jumps the gun. Nobody has to ask what’s going on, because there will be regular statements from the incident response team to leadership and to the wider business. The playbook explains how often updates will come and from whom. This allows people to deal with the breach, instead of fielding calls. The playbook will guide you through response to recovery.


Prove that your playbook works

Before you can sleep soundly, certain assumptions need to be in place. Ensure that employees have read and understood the policies and instructions. Have they had the proper awareness training? Do they know how to report a breach? It’s also crucial to test your plans in a tabletop exercise with all the relevant people. By going over the scenarios, you can reveal weaknesses and reassess the risks, making sure that your playbook is as good as it can be. Think of your playbook as a living, breathing document and commit to keeping it relevant and fit for purpose.

Ultimately, it’s a matter of when, not if you will be breached. A carefully crafted playbook gives you the best chance of responding swiftly and dealing with a breach effectively.