Alternative communications planning and cybersecurity incident response

There seems to be no end in sight for ransomware and malware attacks after the spike in high-profile incidents last summer. This includes the Wannacry ransomware strike in May 2017; PetWrap/NotPetya attacks in June; the identification of “BlackOasis” through an Adobe Flash vulnerability in October; the explosive revelations of the Equifax breach; wireless security protocols that need to be patched; the Meltdown and Spectre bugs in processor chips; and most recently the Cisco Adaptive Security Appliance vulnerability, among others.

Many companies are now rightfully revisiting their incident response (IR) protocols to prepare themselves for future attacks. More and more regulatory requirements dictate that organizations must have a written IR plan. While an IR plan is just one piece of a larger, more complex cybersecurity program, it is nevertheless a critical component and one that many regulators are closely scrutinizing. Apart from the legal, reputational and regulatory risk, ransomware attacks can disable entire global businesses for several days making IR plans business critical.

One key but often-overlooked component of an IR plan is a backup communication method. If attackers completely disable a corporate email server or are even simply monitoring those emails, alternate forms of communication become crucial for managing the incident, attempting to keep the business functioning and minimizing the productivity lost as a result.

A few years ago, cybersecurity professionals might have been labeled as agitators or just plain paranoid for proposing the communications version of a storm shelter emergency kit. Even though this arguably goes above and beyond routine practices, it is exactly prudent given recent system-wide ransomware attacks. These protocols, if properly executed, will also help bolster a company’s defense posture if facing civil legal actions and regulatory investigations following a ransomware attack.

Cyber emergency response kit: first steps

Implementing a robust plan for alternative communications has many benefits: (i) assembling a core team quickly at a moment’s notice – even if email is temporarily inaccessible; (ii) triaging to implement protocols to handle the intrusion; (iii) ensuring that senior leadership remains apprised of the situation; and (iv) complying with any sector-specific or EU General Data Protection Regulation (GDPR) mandatory notice obligations as soon as possible, not only for breach notification requirements under various new pieces of legislation but also to engage assistance from law enforcement. Another potential benefit is the ability to communicate with customers or clients in real time about the impact of the breach, being mindful of the balance of keeping customer contact information secure while intentionally storing them outside of the company’s systems.

There are many important steps to take well in advance of drafting the exact protocol. Firstly, forming an IR team. In the same way that any other emergency situation will have a designated team to guide others within the company, so should a cybersecurity response team be created. Secondly, an assessment should be undertaken to identify the most immediate needs the business will have after a cybersecurity attack, which will obviously range from business to business and industry to industry (not to mention between breaches depending on their severity). Having an external party with an arms-length view of the potential threats and business risks could be beneficial. Third, more general response protocols should be in place and tested through mock exercises (sometimes referred to as “tabletop” exercises). Plans and mock exercises should include meeting locations where for senior leadership and staff should meet in the case of a breach.

Once these steps have been taken, an ancillary alternative communications strategy should be created and shared to the small core IR team that had already been identified and trained. This, unlike the more general plans, should not be stored on the company’s network or computers that could not be reached if corporate systems are down. Attackers may have access to emails, intra-company messaging services, control over computers or other devices including smartphones that employees access, so alternatives will need to be in place for each for the core response team.

Cost-efficient options

An alternative communications ‘emergency kit’ does not have to be sophisticated – in fact, the more user-friendly and basic, the better.  Many relatively low-cost options exist for purchasing basic laptops or tablets. Attacks may also intercept corporate network traffic, so consider hotspots that are not on the regular ISP service accounts that are preloaded onto the backup laptops or tablets. 

In addition, there are numerous free email accounts that offer two-factor authentication. This requires a user must input a second secret phrase or number in addition to his or her password.  Frequently, free email services enable user to have a code texted to a number that the user would input after the password. The added security benefit is that the email account can only be accessed by someone who knows the password and also has the phone associated with the account.  Generally, even if an attacker has stolen a user’s email password, he or she would still not be able to access the email account without access to the phone as well.

Email accounts created solely for this limited purpose should only be shared among the core team and the list distributed in hard copy or handwritten cards (or, better yet, pre-loaded onto the backup computers). Core IR team members and senior leadership should consider purchasing inexpensive non-smart phones with prepaid service or well-reputed phone-call apps with encrypted call options. The best option will depend on a company’s landline phone system and existing mobile phone devices. It will be important to seek advice from security experts to determine the best alternative communications plans and equipment.

Litigation and regulatory enforcement

Future litigation regarding data breaches is possible, especially if a company did not take necessary precautions. Counsel will advise a company on litigation hold requirements, but in general it is important not to destroy anything following a breach. Alternative communications would be subject to the same litigation hold requirements as regular company communication methods and can help a company to demonstrate that they had taken measures to counter any potential breach.

In addition, a company may be subject to many legal and regulatory requirements regarding breach notification. For many in the security community, one of them more concerning aspects of the GDPR, which has extra-territorial reach outside of the EU, is that notification to relevant regulators must normally take place within 72 hours of when the company (either the data controller or processor) becomes aware of the breach. While many who have worked on breach responses are rightly concerned by the ability to meet this sort of timeline, having alternative communication methods will at least allow for the possibility of doing so.

Taking these steps now will ensure that a company is well-prepared if the worst happens. In an age where attacks can happen for a whole variety of reasons, no company is entirely safe. In a digital age when digital communication is so vital to the basic operations of a company, incorporating an alternative communications strategy that takes into account business, legal and regulatory requirements should be a priority.