The latest cybersecurity threat exploits a habit common to many of us: leaving multiple tabs open in our web browser. The scam is called tabnabbing, and it’s especially tricky because it doesn’t ask users to click on a suspicious link. It simply substitutes one of the legitimate open tabs on your browser for a fake tab that looks legitimate. The next time you click on it, you find a message saying that your session has expired and asking you to enter your credentials. Once you do, the hackers have your username and password, which they can then use to access your company’s network.
That, of course, is when the damage really begins. Among the risks are ransomware; Trojan horses; or theft of customer or employee data such as Social Security numbers, credit card numbers or protected health information.
Think your company won’t be a target? Sorry – that’s a myth we’ve already busted. No matter your company size, if you’re doing business in 2017, here are two irrefutable facts:
1) No network is totally secure – including yours.
2) As a responsible company, you must have a cyber incident response plan in place to demonstrate due diligence to your regulators and credibility to your customers.
A basic response plan is easy to prepare and it makes good business sense. Experian’s Data Breach Response Guide states that when you have a pre-breach plan in place and successfully execute it, the average cost of your response can be up to 25 percent lower than if you’d been unprepared. With the average recovery cost at $158 per record – and even more for the healthcare and financial sectors – that’s real money.
To create a basic cyber incident response plan:
1. Form a response team
At a minimum, include “deciders” and “doers” from your company’s social media, finance/accounting, IT, digital and communications teams and consultants. Include attorneys who specialize in cybersecurity, as well as an IT forensics consultant. Make sure you all know how to reach each other outside of normal work hours.
2. Conduct a SWOT analysis
Get your response team together to assess your company’s strengths, weaknesses, opportunities and threats with regard to cybersecurity. Then narrow down the weaknesses and threats that present the most negative impact and greatest likelihood, and work with your IT staff and consultants to reduce or eliminate them from your network.
3. Inventory your organization’s social media channels
You’re probably on Facebook, Twitter, LinkedIn, and perhaps others such as Instagram, Snapchat or Pinterest. Make sure everyone on your response team knows which channels you are on and has the username and password for each. Crises such as cyber incidents can go viral on social media in minutes, so both monitoring and responding in real time are crucial.
4. Compile a list of your audiences
Who are the people you would need to notify when a cyber incident strikes? Depending on your organization, this could include your customers, members, board of directors and regulators. Remember to include your employees as an audience, too. Done well, internal communications can help make a crisis situation such as a cyber incident go as smoothly as possible. Doing it poorly – or not at all – is guaranteed to make the situation worse.
5. Draft a standby statement
Keep it simple – create a basic statement that serves as a foundation so you can tailor it when an incident does occur. At that time, your response team will evaluate which audiences need to receive the statement and whether you should send it out proactively or only in response to inquiries.
6. Write it all down
Congratulations – you have an incident response plan! Send the file link to everyone on the response team and give each person a hard copy to keep somewhere safe. Hard copies sound old school, but when your network is down due to a cyber incident, that built-in redundancy can save precious time.
If you do this work, you will be ahead of 90 percent of the organizations who seek our counsel. More importantly, you will have done your due diligence to equip your organization to effectively handle the very real threat of a cyber incident.
And while you’re at it? Go close those tabs before they get nabbed!
Remi Gonzalez, APR, a senior vice president at Public Communications Inc., has guided multiple clients through crisis communications for cyber security incidents. She will be a featured speaker at the Cybersecurity Symposium in San Diego on June 5-6 by the Credit Union National Association and the National Association of State Credit Union Supervisors. She currently has five tabs open on her browser – but not for long!