“Remember, you are your own 1st Responder.”
-Ricoh Danielson
“Time is money,” a phrase commonly used throughout the years to highlight the importance of wealth, specifically financial gain. From a cyber security perspective, however, the phrase can mean the complete opposite. In the moment of a cyber incident, the phrase “time is money” goes into effect due to the importance of a timely response in order to not lose money and more importantly, customers. Decisions need to be made quickly and without hesitation as there may not be enough time to call up a team of executives and attorneys to discuss what needs to be done in depth. That being said, when an incident does occur, it is crucial to have a HIT-T and level threshold that allows you to evaluate and determine how the incident will be handled. For example, a company may have a level threshold of 0 to 5 and when an incident occurs, the level determines how they will respond. If it is considered a level 0, the company may determine that to be low risk (e.g. suspicious email found) and the response time does not have to be immediate. In fact, having a HIT-T that is on-call for a cyber incident allows them to evaluate and determine level threshold.
For the sake of time management and cost of value, having a HIT-T is crucial because a cyber incident, regardless of threshold, cost money. As stated previously, level threshold determines response and some events may not qualify or quantify a need for one. By utilizing a HIT-T, facts are gathered and analyzed quickly and effectively without having to call attorneys and other stakeholders that cost additional money for the company. In situations where the level threshold is high and a full cyber response is required, a HIT-T will determine the following: 1) what was affected, 2) the impact, 3) data elements, and 4) who will be contacted (e.g. attorneys, executives, and vendors).
As we enter the new year, developing a HIT-T as a business defense should be of utmost importance for your company. Remember, develop a team with individuals who have the technical aptitude to make split decisions with minimal time under pressure. Decisions should be made within a designated SLA to ensure there is minimal impact to the company. Have a team that specializes in different areas such as privacy, incident response, digital forensics, legal, threat intelligence, and vulnerability/patch management. Consider adding a spokesperson for your team and someone that will question the decisions to ensure it’s in the best interest of the company and stakeholders. If you are employed with an enterprise business, a HIT-T can be created by cross-training and selecting a group of team members with the necessary technical skills and the ability to understand the importance of time, risk, and customers. For smaller businesses, such as medical providers, creating a HIT-T may be difficult and having a designated IT vendor is not the same. If possible, define certain team members and an IT vendor as the key players who can be on-call 24/7 in the event a cyber incident occurs. If a HIT-T cannot be created and all other avenues have been exhausted, consider hiring an incident response company that will respond as soon as an incident occurs, but it will cost you time, money, and people. Having no reaction is the worst reaction and doing something is better than doing nothing.