A Q&A with Ron Raether of Troutman Sanders
In the wake of the COVID-19 pandemic, the traditional workforce has largely transformed into a work-from-home workforce, raising novel cyber security issues for organizations—particularly given a wave of attacks capitalizing on newfound vulnerabilities. One way to prepare for the current reality is to update cyber incident response plans with provisions for a remote response. We talked with Ron Raether of Troutman Sanders about making these needed updates.
How should organizations reevaluate their incident response plans for global health crises like COVID-19?
First, remind employees how to report actual or suspected security incidents. Second, given the nature of a pandemic, creating backup teams is critical. If you normally have someone designated for legal response, another for business, and another for IT, and so on, you now need to have number two, three, and four backups given how rapidly COVID-19 infection can spread. Often, people work closely and may transmit the virus to one another. In an event such as the one we’re facing, we could see months of follow-up waves of the virus, so we need to look at this as on ongoing concern.
What does the cyber incident response team need to know?
As always, they should be familiar with their roles and responsibilities. It’s important to remind them, though, amid the crisis situation. Apprise them of the increased cyber risks that work-at-home introduces so they can be more attuned to and prepared for potential attacks. To that end, IT personnel should also prepare to ramp up certain cybersecurity tasks, such as audit log review and attack detection.
What other considerations are specific for a incident response team transitioning to work-at-home?
Whatever communications paths were in place for response plans need to now be updated. If everyone was supposed to get together in a room during a cyber event, then you need to have a tool to do so virtually. Ensure that contact information is updated for the virtual workplace, both to report an incident and to contact the cyber incident response team members who can no longer be reached at their office phone numbers. If you have a 1-800 number and/or dedicated email for reporting incidents, make sure someone is consistently monitoring these messages. That also includes communications with incident response vendors. Thankfully many vendor response functions, including forensics, can be performed remotely. Additionally, all of these modes of communication need to be secure, including home wi-fi networks and routers and other “personal” devices.
Are there some aspects of cyber incident response that can’t be performed remotely?
Yes, in some organizations and depending on the event, someone might need to be onsite to access boxes—for example, a system rebuild after a ransomware compromise. So, if there’s a stay at home order, or some people are in full quarantine or ill, you need to consider how those functions will be managed.
We would like to thank Mr. Raether for his timely comments and suggestions for adapting response plans amid this unraveling crisis. In talking to many IT, cybersecurity, legal and insurance industry experts over the few weeks, I’ve found that very few were predicting the severity of the pandemic and few that believed their organization was sufficiently prepared for it. This type of a black swan systemic event is extremely hard to forecast until it lands on you. Equally hard to model is the ripple effect a viral outbreak can have on critical dependencies. Mr. Raether raises some great preparedness points, such as having backups to your backups for key staff just in case senior leaders fall ill. Hopefully, the one positive thing emerging from the COVID-19 crisis is that pandemics are no longer a theoretical risk and we will all be more prepared for a future event. Finally, Mr. Raether is always very generous with his time and expertise—we want to thank him and his law firm again.