You think you’re prepared. You think you’ve done all you can to protect your organization from a cyber-threat storm. You have made cyber-security a part of your overall corporate risk strategy. You have prioritized and protected corporate assets. You have a diligent cyber-security team that monitors the networks and all that connects to them for anomalous activity from external sources and insider threats. You have planned ahead for incident response and business continuity. You even have a crisis management plan that you regularly adapt and exercise, complete with speed-dial contacts for incident response teams and law enforcement.

And then it happens. Your cyber-team informs you of an intrusion that has likely been active for weeks. And you realize you haven’t done enough.

It unfolds this way: The cyber-security team catches some troublesome network traffic. Perhaps it’s a large amount of traffic going to an unauthorized destination, or many connections sending small payloads to unexplained destinations. Both of these scenarios could indicate information was copied and sent to an unauthorized location. It can take many cyber- and computer traffic logs, containing tens or hundreds of clues, often called “indicators of compromise” or IOCs, to determine even this simple scenario.

The cyber-team belongs on your front line of defense. To protect the business and its customers, new protocols are crucial to bring critical developing information from that team to management’s ear.

For financial institutions and any firm that holds sensitive customer data, a situation such as this raises several important questions:

At what point does the cyber-team report these IOCs to senior management?

Who on the team is responsible for explaining the threat, in non-technical language, to business-line executives?

Who will determine whether the event needs to be reported to other companies, regulators, law enforcement, or perhaps even the Department of Homeland Security’s United States Computer Emergency Readiness Team to warn others?

In today’s environment, a clear escalation protocol from operations to the executive suite to enable earlier awareness of potential problems is crucial. This should include the following components:

Predetermine the escalation chain. This presumably starts with a cyber-analyst team that would first note the anomalous event and relies upon a process to ensure that it is communicated up to a chief information security officer or chief risk officer for consideration of severity and further discussion among executives. ?

Identify what factors trigger communications, both internally within the company and externally to regulators or cyber-threat information-sharing entities. ?

Identify places in the escalation chain responsible for decisions and the decision criteria therein. ?

Create a formal process for documenting the entire escalation from operations to the termination of the communication. ?

Document and pre-choreograph actions of both your cyber-operations team and management, if management determines that the event is “material” or needs to be reported rapidly to a regulator. It can take from hours to weeks to determine the full scale of an event. While in some cases, this may result in events being reported unnecessarily, that shows goodwill and responsible action, whereas the flipside gives the appearance of hiding an event and not protecting customers or other companies or preventing stock sales in a material event.

Consider the typical scene described above in which your cyber-analysts are tracking a cluster of indicators that, taken together, may indicate an intrusion or a theft of information. Getting a firm grasp on what happened is a comprehensive process, including analyzing the logs, mapping where and when the intruders gained access and, of course, stopping the malicious network activity. This all takes place in operations.

But usually all of this happens before incidents are reported up the chain to company executives. That’s too late, as recent breaches have proven. Executives who don’t know about the potential breach could even sell company stock and be investigated by securities regulators after it becomes public.

The cyber-team belongs on your front line of defense. To protect the business and its customers, new protocols are crucial to bring critical developing information from that team to management’s ear.

Dr. Phyllis Schneck serves as the Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate (NPPD).

Topics