We're now going to go ahead and look into the process of how we do proper communications and notifications when there is an actual incident. And this is a really important part of it. So proper communication is key. You have to make decisions like who are you going to communicate the information to? How much of the information should you disclose once you decide who needs to get what? And then when you should disclose it. Because what we find time and time again as we've worked on over 100 incidents is the time that you release or the timing of when you disclose it is just about as important as everything else. If you're too early, you risk being premature and not being able to give enough information to answer the right questions. And it makes your team look a little incompetent. Or on the opposite side of that, if you wait too late, you can kind of be looked at as being negligent in, well, you should have reported this sooner, you should've let customers know sooner that their data may have been compromised, that type of thing. So it's really important, as you design your response procedures, that you consider that. The timing of when you release information, when you communicate information to different bodies within the organization. And even we'll talk about a little bit further in here, communicating with the media and stuff like that. And then you also have to consider what reporting guidelines there are that's related to your specific industry group or even your corporation. Now some things that help shape the communication, this includes legal requirements. What legal requirements are you under that dictate what you have to report, when you have to report it. Check with your local jurisdiction because there's going to be legal requirements depending on where you are. For example, in Europe, different parts of Europe, they're very strict and very finite about this, and in other parts very relaxed about it. In the US, we have some pretty strict reporting guidelines on when you have to report breaches. Specifically, when there's customer information involved. And again, that's very industry group specific as well. There's also compliance. There's media and public disclosure that we gotta talk a little bit about. And then there's also internal communications. Because how you communicate internally with the organization about an incident is just as important as how you communicate outside, and you'll see why that is. Now with the legalities, the regulations are different for some industry groups, different countries have different requirements. And remember, one of the issues here is privacy may be of concern when you're passing on information about these breaches and things like that. So you always want to consider that and have that kind of as one of the deciding factors, what privacy factors are at play here. Now with compliance, when you consider things like HIPAA, SOX, PCI, and others. Some of these mentioned things specifically related to reporting data breaches, and some of them don't really touch on that at all. But you again need to be responsible for making sure you understand, first of all, which of these regulations you're under, or which of these compliances you're under. And you will probably already know that because you can base it off of your overall information security policy. And then look at what the literature is there concerning what your compliance requirements are as related to how you respond to incidents. You will find that some of these laws and regulations are very, very generic. And what they say, they're not really that forebearing at all and then some are very, very specific. So figure out which ones are related to your organization and then you have to apply. Make sure that as you design your response program, you build it around, or at least consider these things in that. Now, when communicating with the media, this should be filtered through the legal team and the PR team. Anytime you're communicating externally with anyone about a data breach or an incident, you should always refer to your legal team or your PR team. If you don't have one, just refer to your corporate management. If you don't have a legal team or a PR team, just say, hey, I'm going to refer all of these questions to upper management. The CEO or the CFO or whoever, you don't want to be caught up as an incident responder or a managing incident responder, relaying information to the media that maybe the corporation was not ready to relate to the media. So you always want to refer that information, refer those questions to PR, legal, and best case. Scenario is you're sitting there in a room. What PR legal, if you're put in a situation where you have to disclose information, okay? You may be drafted by your organization as the primary person to relate this information and you want to make sure you have some protections in place as you go about doing that. Now with the internal communications, we still have to apply that same metric. Who needs to know? Because let's think about something. If there's an incident, is it necessary to everyone in your organization know that there is an incident? And if so, are we going to try to let everyone know every time there's an incident? Because if we do that, it's going to create, depending on what size organization you are, it could create a constant state of chaos. Right, so you have the first of all figure out who needs to know, when did I need to know, and we need to kind of come up with a policy for that. What the communication procedure is inside the incident response notification and all that. You want to use standard normal communications or not? You have to figure it out. Do you want to stand up separate communication paths for this? And we'll talk about that in the next little bit here. Dedicated Internet connections that are utilized just for that type communication. And then we have to consider out of band file storage and digital communications among the team. And really what we're saying there is you want to make sure that you consider every possible scenario when it comes to how you communicate and what communications need to be passed along. Now specifically what the out-of-band stuff? We're going to look at some very specific examples of that. Now with internal communications, do we need to continue to use internal messaging if that system is compromised? Let's think about that. If there's been a data breach or an incident where your network has been compromised. Does the network include your Mail servers in your messaging systems, right? Your phone systems, which are most of your voice over IP now. Are those systems compromise as well, because if they are and if they are part of the compromised network, do you really want to be managing or handling or communicating details about this incident over those compromised systems. Because you could be further compromised in the organization by doing that. You're giving details of the breach or the incident over this compromised system, and it's just constantly being followed right out to the outside world. Or worse, case scenario, the attackers are sitting there watching you handled the incident and they're moving and shifting their behavior based on how you're responding. Right, so you put yourself in a lose lose situation there. So maybe and I'm not saying this is the case with every incident, but maybe it's not a good idea to use your same day today email system and all the other stuff that you use to do normal communications to handle this incident that might not be a good idea. Now what should you do then? Well, out-of-band communications is a common thing that will help organizations stand up. You set up a separate email system, separate messaging, separate file system or file storage system. Think about using Google Cloud, Amazon, AWS Microsoft Azure as having just a full working corporation that you have set up in there that you only utilize for managing certain types of incidents, right? So if the incident becomes where you think the entire organization is compromised, then you may want to pop up that AWS that Google or that Azure environment temporarily just for messaging and storing files and documents related to the data breach in that system. Okay, that way it puts you in a position to where you're not necessarily compromised. Another thing to consider. If you think the entire network has been compromised and maybe your laptops your devices that you use to interact and communicate over that network is also been compromised, you maybe should consider having backup laptops, backup systems. I mean, we're not talking about you got to go out and buy most expensive ones. But, couple 300$ devices, the little ones that are really cheap that you can just stand up and manage this incident and communicate over in case there is something that happens where you can't trust your physical equipment. So those are some really important things to think about when it comes to how you do your communications in an incident. Make sure you consider that, don't forget about encryption and all that stuff, but the main thing is you want to have a plan. All these things that I'm talking about setting up a separate email messaging and all that, you want to do this before hand. In other words, you don't want to wait until the incident and then try to set this up. So think about that. Consider it and we kind of touched on out-of-band in the introduction we talked about preparation. Well you want to now this is where we kind of talk about it in detail all right. And then there's also reporting you want to make sure that in the process of handling this incident there are different kinds of reports, right? You're going to have some reporting that you do after the internets been contained in its over. You're going to have some reporting that you do on a day to day basis as the incidents going on as it's an ongoing incident. And then you also going to probably have some intermediary way. We like weekly reporting that you're going to need to do to lack upper upper management. The people at the top of the organization that they don't need day today details necessarily, but they want pretty regular updates now. Keep in mind, sometimes upper management will request it. They have daily updates, just depends usually on the severity of the incident, what the impact, maybe because they may want to monitor it more closely. But either way you have to consider this reporting as maybe the most important part, because this is how you can relay information about the incident to the parties that need to know it and you have to be very careful as to how much you put in, how much detail you put in, and careful not to expose any credentials or anything like that in your reporting. All right, so keep that in mind as you deal with it. Hopefully this has been a useful skill session for you and we look forward to seeing you in more on incident response.
