By Kate Fazzini
How corporate security teams talk to each other and to executives during the early stages of a breach can sometimes make the situation worse.
Loose communication with potentially incendiary language can cause a small matter to escalate, executives and government officials said. Boeing Co. recently made headlines over a cybersecurity incident after an email was leaked to the Seattle Times. A chief engineer described the problem as requiring “all hands on deck,” and implied that ransomware was “metastasizing rapidly” within the company, according to the newspaper.
A Boeing spokesman later confirmed via Twitter a “limited intrusion of malware that affected a small number of systems.” Prior to the statement, Boeing was the subject of widespread media speculation about how dire the situation may have been.
Creating code names for incidents, speaking face-to-face or over encrypted text to avoid corporate networks, and abiding by pre-established trigger points for notifying company leaders about a cybersecurity problem can help maintain a cool, streamlined and confidential response when an incident first occurs, experts said.
Code names. In the first stages of a breach, “you want to keep information reasonably tightly held,” said Amit Yoran, chief executive of Tenable Inc., a cyberrisk management company, and the founding director of the U.S. Computer Emergency Response Team. Things can change quickly, and sometimes multiple incidents are detected at once, he said.
Using code names, security teams can differentiate between incidents, said Matthew Scholl, head of the Computer Security Division at the National Institute of Standards in Technology. Some examples of code names include places, people or colors — terms that allow teams to discuss incidents in email without alarming language such as “breach,” “hack” or “threat,” Mr. Scholl said. Code names also help companies avoid tipping off attackers who may still be on networks, he said.
Going offline to talk shop. Security teams should select channels of communication carefully, said Mr. Scholl.
In-person meetings are a good way to handle early stages of communicating about how to respond to an incident because teams can communicate this way off the corporate network, he said. Secure texting applications create discrete channels to share details of the incident without using corporate networks that may be compromised, said Mr. Yoran.
Trusted executive team. Companies must have a need-to-know list of people who will be contacted in the event of a breach, with defined thresholds for when and why to reach all of them, said John Brennan, former director of the Central Intelligence Agency and an advisory board member of cybersecurity companies SecureAuth Corp. and Core Security SDI Corp.
Triggers could include a cybersecurity incident that causes a potential regulatory violation or one in which an important corporate asset is breached, said Mr. Scholl. The core team should include professionals in internal communications and public relations, legal, risk and business lines, with specific triggers for when each should be notified, said Mr. Scholl.
“To not to have a hair-on-fire mentality immediately after a [breach], rehearse how you are going to handle it,” said Mr. Brennan. “You never know the full extent of what you are dealing with at first.”
This article originally appeared on Wall Street Journal on April 12th, 2018.