teissTalk: How many cyber-attack playbooks do you actually need?

teissTalk host Jenny Redcliffe was joined by Benjamin Bachmann, VP Group Information Security, Stroer; Kai Hermsen, Managing Board Member and Secretary, Twinds Foundation.

 

Views on news

 

The Hive ransomware-as-a-service (RaaS) group has claimed responsibility for the cyber-attack against Tata Power disclosed by the company on October 14.  The leak includes personally identifiable information (PII) like Aadhaar national identity card numbers, tax account numbers, salary information, addresses and phone numbers.

 

 

What should a playbook contain and who should own it?

 

The name playbook is a bit of a misnomer, as it suggests that it contains detailed information regarding procedures following a cyber-attack, while it’s impossible to have that level of detail if you don’t know what’s going to happen in advance. Rather than having a playbook, businesses should know who their incident response team is and practice crisis simulation with them. If you follow the defined format of a playbook, predictability and the lack of flexibility to deviate from the playbook might affect the incident response negatively.

 

The playbook’ role is to save bandwidth for incident response when an attack happens – it should be seen more as a checklist. There is a huge number of communication plans out there, which aren’t updated regularly, though. Putting up a poster with key information such as what makes a cyber incident, who should be called etc can be a good way of raising everybody’s awareness. Writing a playbook should be a cross-departmental collaborative work and its ownership should ideally be with the continuity or crisis management team, if there is one.

 

Another danger of the playbook being cyber security’s responsibility is that it becomes something that’s not invested in by the C-suite.

 

Rather than having several playbooks, it’s maybe better to have one that is evolving in line with advancements in cyber security. A playbook should be the part of a larger strategy whereby an organisation develops a clear understanding of its security risk profile including any key vulnerabilities or touch points that could be susceptible to an attack. 

 

The panel’s advice

 

Be prepared for cyber-attacks, but don’t go too granular with your playbook.

 

Playbooks shouldn’t be prescriptive but offer guidance on who to contact in different scenarios and when to escalate.