Breach Response: Refining Tabletop ExercisesExperts Offer Lessons Learned from Breach Drills
While more organizations have breach response plans in place, many are not testing these plans - or are doing a subpar job of conducting tabletop exercises, security experts say (see: Breach Response: Building a Better Strategy).
"On average, less than 20 percent of the clients we work with that have a response plan actually conduct a tabletop exercise," says Michael Bruemmer, vice president of Experian Data Breach Resolution.
And many of those organizations are conducting tests that are coming up short. Tabletop exercises often don't include all appropriate individuals, security experts say. Plus, the exercises often don't address multiple scenarios that could affect an organization.
Testing breach response plans is an essential part of risk management, says Neal McCarthy, a security professional at a Fortune 100 retailer, who also assists organizations in developing their computer incident response plans. When a breach occurs, "you don't want to be starting from the ground up, when you could have had 80 percent of all the issues already figured out," he says. "[The plan] should be tested and updated on a regular basis. A plan's true value is measured by the relevance of the information and processes it provides at a time of crisis."
Ellen Giblin, an attorney at Ashcroft Law Firm specializing in breach response, says that when she reviews incident response documents with senior executives at organizations, they're often only vaguely familiar with the plans. "[That] means the plans haven't been run through," she says. "Gauging their reactions upon reviewing, if it's vaguely familiar - it's not a good sign."
Some companies procrastinate in testing their breach response plans because a tabletop exercise takes time and money, says Ronald Raether, a partner at the law firm Faruki Ireland and Cox PLL, where he specializes in technology-related issues, including data breach resolution. "To truly execute such a plan, you need to involve numerous departments," he says. "Departments find it hard to justify giving up a resource or two for several hours to a full day to go through an exercise that does not, on the surface, directly contribute to the bottom line."
Including Appropriate Stakeholders
Organizations need to include all appropriate stakeholders in the tabletop exercise, including the security and privacy teams, C-suite, board members, legal counsel and even account managers, experts say.
"The CEO may not be the incident response lead, but ultimately they are the company leader who will also be making decisions, be the face of the response to consumers and the media, and be held accountable in the aftermath," Bruemmer says. "If the leadership is not involved and supporting the response practice, the learnings and the improvements, the actual response does not go nearly as well when the real event occurs."
Lisa Sotto, an attorney at Hunton and Williams, says that while it may be difficult pulling senior executives away from their day jobs to take part in an exercise, "[the cost] pales in comparison to the myriad costs that would accompany a real breach."
But staff members who have direct contact with customers also need to be involved in tests, Raether says. If a front-line account executive, who didn't participate in a tabletop exercise, hears about a breach from a client, the executive may not know who to contact or what other steps to take, he points out.
Giblin notes that vendor management issues need to be tied into the tabletop exercise in order to run through how an organization handles an incident involving a third party.
Testing Multiple Scenarios
In conducting a test of a breach response plan, organizations need to ask "what if" questions for a variety of scenarios, Bruemmer says.
"They should run through several different types of situations and occurrences that could take place before, during and after a data breach," he says. "For example, what if the data breach is first exposed by the media before the forensics is completed? The company must decide how to respond and what to state to the public without having all of the information about the breach available."
Bruemmer says many organizations feel pressured to inform the public - especially the media - as soon as they discover a breach. "This, in turn, can induce panic among consumers and lead to poor decisions and crucial mistakes," he says. "Instead, the best practice is to finish the forensic investigation before announcing the breach."
McCarthy, of the Fortune 100 retailer, says using real-world examples and tying them into the tabletop exercise can help a company figure out how they'd respond to a similar incident. "When it previously hit the news, I'm sure the CIO and CISO were asked the question, 'Could it happen here? What would we do if it did?' Now is an opportunity to really look at the problem," he says.
Takeaways from Exercise
Upon completing a tabletop exercise, an organization will gain new insights, including how team members react to a stressful situation and work together, Bruemmer says. "It is critical that those learnings update the plan," he says. "Continuous improvement is a key to staying ahead of the changing cybersecurity environment."
Organizations should also maintain an element of surprise during the tabletop exercise to see how the breach response team manages an unpredictable scenario, Bruemmer says. Another important factor in improving the exercise is conducting a debriefing session to review and discuss the lessons from the session with all of the team members, he says.
Additionally, members participating in the exercise shouldn't get defensive, McCarthy says. "Have an open mind, take good notes and act on the concerns and suggestions raised during the exercise," he says. "This is not 'your' plan, it's not information security's plan and it's not IT's plan," suggesting instead that it's everyone's plan.