Our 12-year-old son was invited to a friend’s bar mitzvah in Worcester.
That’s about an hour from where we live, so rather than going back and forth twice, Rachel and I decided to make it a date night – dinner, escape room, coffee.
Despite not escaping the escape room (the Marilyn Monroe mystery remains unsolved), we had a fantastic time. And, since we were going to be out that way, we offered to drive a few other boys home from the event.
On the way back, one of them said he was “feeling a little sick.” Then … suddenly … the back of our six-month-old car was bathed in vomit. Bleah.
First thing the next morning, I texted the high school kid who had detailed our car once before. Not available.
I asked some neighbors if they knew of anyone. Nothing.
Finally, after Googling “car detailing,” I found someone who came right over. Two hours later, the car was back to normal.
Thankfully, backseat vomit is not a common occurrence and the cost of this type of motor vehicle biohazard, while distasteful, is relatively low. There’s really no need for me to have a car detailing specialist on speed dial.
When it comes to serious technical incidents within your business, however, it’s a totally different story. Because while these incidents are also relatively uncommon, the cost of not fixing them quickly and completely is way higher than a funky car smell.
Who Is Your Technical Incident Remediator?
The range of potential technical incidents is broad – ransomware, malware, viruses, bad guys logged into your server to access, delete, or exploit your data in nefarious ways. The list goes on and on.
Whatever the specifics, when one of these occurs, you need a (for lack of a better term) technical incident remediator … someone who can expel the bad guys, contain the damage, and ensure that all security holes have been closed. The middle of an incident is not a terrific time to figure out who this company should be.
As for how to prepare appropriately, I think of this as having three “levels.”
Level 1: Understand Your Cyber Insurance
Most cyber insurance companies have a concept of “panel providers” – preapproved vendors whose involvement is fully reimbursable. Of course, you can hire anyone you like. But if that company is not on the list, like going “out of network” for medical treatment, your coverage will be much less and possibly even (gulp) zero.
In the middle of a crisis, you and your team will be running in a hundred different directions. Make certain these vendor details are part of your incident response plan and be sure your security team is well aware of which companies are preapproved.
Level 2: Pre-Select a Technical Incident Remediator Vendor
What? You want me to pick a vendor for something that might never happen?
That’s correct. Because while Level 1 will keep you from hiring the wrong firm (i.e. reduced reimbursement), it does nothing to speed up the process of hiring the right firm should an incident occur.
Crisis or not, the first time you speak with a potential remediator, you’ll still have to sign NDAs, meet with their sales team, validate their skills and areas of incident and tech stack specialty, and get them onboarded. Days could be lost at the most critical time.
There’s a good chance your insurance company knows which providers are strong and it’s possible some of your existing vendors – Security Operations Center (SOC), Managed Detection and Response (MDR), Managed Security Services Provider (MSSP), etc. – may be on the list.
Do the prework now, and make sure your team has a process for activating the relationship and that the process is included in your incident response plan.
Level 3: Formalize the Relationship
This final level involves signing an agreement with an incident remediator. Some vendors offer a “zero-dollar retainer” for this purpose, which means you can get everything set up without having to spend any money up front.
An established relationship will move things along even more quickly should an incident occur, as it removes the last-minute need to haggle over terms and conditions or expectations for responsiveness. You have your vendor and their contact information; you simply get in touch and ask for help.
Keep in mind, however, that with a zero-dollar option, you are subject to the luck of the draw regarding vendor availability and the quality of the response team assigned. Only with an ongoing, paid retainer can you really be sure that all your bases are covered (granted, this option may be cost-prohibitive for many smaller companies)
Start Now
You may never get to Level 3 and that’s okay. Each business needs to decide how much preparation and expense is appropriate given its risk tolerance and circumstances.
But the key word here is “decide.” By planning ahead rather than leaving things to chance, you can make a calm, well-reasoned, company-wide determination of what’s best for you – before the vomit hits the fan.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
