The Friendly Cyber Incident

Mavenspire regularly helps organizations audit or assemble their Incident Response Plans (IRP). IRP are documents that are used to predetermine policy and procedure around cyber security incidents. Like disaster recovery plans (DRP) and business continuity plans (BCP) the IRP is a document that assumes panic and chaos will prevail and provides the needed framework to get organized, assemble the team, and get to work. In fact all of the plans (and others) are referenced and used in the IRP. For example, the IRP doesn’t restate the DRP, it just references it when it comes time to focus on the restoration of services.

Mavenspire recommends that all organizations have at least an IRP with the associated DR and data governance processes worked out. Once you have them, ensure you practice them. Drilling on what to do in emergencies is essential for all sorts of business disrupting events and will minimize the time it takes to get back to work. Remember those school based fire drills – same reason. Even if at the time you thought they were just a clever escape from a pop quiz.
 
Given all of that – what do you do when the Incident is friendly fire? That is – what if instead of a bad guy, the disruption is caused by a good guy? This could be a scenario where someone makes a mistake, or when someone unexpectedly finds a bug in software, or even when a vendor distributes a new update that turns out to have unexplained side effects. All of these scenarios happen all the time. Its just the scope and scale of the problem that changes. Too often, despite all the effort in drafting and practicing a plan, organizations wont recognize an incident when they experience one. Instead they turn to sending in helpdesk tickets and creating an avalanche of work for the IT support systems.
 
When was last time this happened to your organization? Was it Crowdstrike? McAfee? the ERP? Payroll system (right before payroll needed to be run)? and what did you do – did you open a helpdesk ticket or reach for the IRP and look to see who needs to be notified?