On this episode of CyberSound, Jason, Steve, and Matt are joined by Linn Freedman, Chair of the Data Privacy and Cybersecurity Team at Robinson+Cole.

On this episode of CyberSound, Jason, Steve, and Matt are joined by Linn Freedman, Chair of the Data Privacy and Cybersecurity Team at Robinson+Cole.
Jason Pufahl 02:21
So you mentioned having an incident response plan, I think you have maybe twice when you drove this, have you done a tabletop for somebody who doesn’t have an incident response plan? Or do you feel it’s a real precursor before you even consider going down that path?
Linn Freedman 02:35
So I think that if a company is thinking about a tabletop exercise, they’re a little more advanced and usually, they have an instant response plan. What I will say is, that I believe it’s very important for you to have an incident response plan to follow during the tabletop because you’re really testing your response. And it’s much more organized and effective if you have a plan in place. So I would say yes, you really do need to have a plan. And then once you have your plan tested through a tabletop exercise.
Steve Maresca 03:18
So what are the overall preparatory steps besides incident response plan in terms of setting up a tabletop organizationally?
Linn Freedman 03:25
So the incident response plan is obviously key and understanding and designating your incident response team, who is going to be on that team that will go through that incident and follow that incident response plan so that you know who the stakeholders are. People understand their roles in the process. These are all ways that you can prepare for a tabletop exercise. The best thing is when companies try to, you know, get me to tell them what the tabletop scenario is ahead of time and I go nope, you’re not getting that because that’s the whole point. It’s going to be a surprise. So because a real incident is a surprise, you can’t really prepare for it. You can prepare by having your plan and your team members in place to respond. Yeah, and well, and you go through different scenarios, very different scenarios that are real-life scenarios so that they can see how these things can happen, how easy it happens, and then how they respond to them.
Matt Fusaro 04:38
How long do they typically run? Should they be prepared for a few hours a whole day, multiple days?
Unknown Speaker 04:45
I think to start, it’s really a phased approach, the first one should be shorter so that you can really talk about the plan. Talk about the team; talk about responsibilities, and then maybe go through one scenario. So I would say a couple of hours. The next one, I think you don’t have all that preparatory work. So you can go to two or three scenarios. So usually I will start with a couple of hours. And then we can go to a three-hour session. If you really want to do a deep dive with getting forensics in and doing an actual exercise. That’s longer. That would be a full day. But to start, I think, to get the flavor of what a tabletop is, a couple of hours is a good way to start.
Jason Pufahl 05:41
We’ve had a couple of discussions where I think we tend to work often in the IT space, right CIOs and IT folks. We’ve definitely had requested people saying we only want the IT people involved. And I think your counsel has generally been: you want legal you want HR, you want representation across the organization. Do you ever do any of that? Are there isolated just to IT staff? Or do you think that’s too limiting?
Linn Freedman 06:09
Well, I think it depends on the goal of the organization, I think any tabletop you do is better than no tabletop, that’s for sure. So you know, I’ve been in situations where they want it to be much more technical, and they start with the IT staff and then and then and then bring in others, I think ultimately, you really, first of all, want to have all your tabletop exercises under the cloak of attorney-client privilege and work product. So it’s important that you have legal involved because you want to make sure that it’s protected because you’re talking about your vulnerabilities. And then secondly, I think you really in a true incident, there are so many moving parts that you need a lot of people involved. And companies don’t always understand how important different parts of the organization are to incident response. Communication is key. If your website is down, or your customers can’t get access to their data, well, all of a sudden, your helpdesk is getting a lot of calls. So you need communications, you need executive leadership to be involved. You need the HR folks involved in the event that there’s employee data that’s involved. So I think I think running through a bunch of scenarios is great because you can see all the different people that might be involved in a real scenario.
Steve Maresca 07:40
You know, going back to the legal representation aspect of it, I’d really like to hear for the benefit of our listeners, what risk there is in not having that participation, because we’ve spoken about it in the past privately, but I think it’s worthy to share it.
Linn Freedman 07:55
Sure. So anytime a company is really talking about vulnerabilities talking about paths that they would take in scenarios and in security incidents, talking about maybe some weaknesses in their plans and in their procedures, you want to protect that in the event that down the road, there’s an incident and a company gets sued, because all of the information, you know, discovery and litigation can be very, very broad. And part of that could encompass your preparation for a security incident. What policies and procedures did you have in place? Did you test? Did you audit? Were there were there findings? All of these things ultimately may be discoverable in litigation. And usually, if you’re upfront and honest, you’re transparent about your weaknesses, if that’s in documentation, it can be used against you in you know, in the future if you’re in litigation. So at least having the protection or trying to have the protection doesn’t always work but trying to have the protection of attorney-client privilege work product doctrine, so that your legal counsel is involved and legal counsel is directing the tabletop is very important for trying or doing your best to protect the entire conversation and the documentation around that tabletop exercise.
Jason Pufahl 09:49
Even the subsequent follow-up documentation, I assume right? The report that comes out of it or whatever that format looks like?
Linn Freedman 09:56
Yeah, so legal counsel. When I do tabletops, I am the one that provides the follow-up to the company to make sure that it’s confidential.
Jason Pufahl 10:13
So you had made a reference, I think at the beginning that you run a tabletop, and generally, everybody struggles through them. Is it because the way that they’re constructed? Do you find that you’re an organization that’s gone through an incident, generally is better prepared? Have you had one that you feel like, “wow, they really, they knocked it out of the park, and we just don’t need to think about it.”
Linn Freedman 10:44
So there have been a couple that I think they did very well, I would say that most companies in their first one, learn a whole lot. Many companies now have a cadence of doing several over a period of time, three a year, whatever, and you do different scenarios. I think that the more you do, the better you get, it’s just like practice for a football game. The more you practice, the better you’re gonna get at your plays. And this is all about plays. So I would say that, that I’ve never come out of a tabletop where there weren’t some takeaways and some lessons learned. And some things to do, what I will say is, oftentimes, it’s hard for a company, to keep the takeaways as top priority. And that’s why having a cadence of doing several a year, you’ll find that, when you’re doing the second one, you’re going back to see what the takeaways were from the first and that people still have some things on their to-do list. So a cadence is a really good way to get better.
Jason Pufahl 11:50
So So actually, it’s a really interesting point, because we see, during an actual incident, right, there’s always an interest in making security improvements for a period of time, three months, maybe six months, if you’re doing your tabletops regularly, at least that keeps information security or data security in the forefront.
Linn Freedman 12:06
For sure. And you know, what you find is everybody has a day job. And then this is on top of that. And so it’s easy for it to go down on the priority pile. So if you’re doing the tabletops, your data security is going to be a priority, but also if you have a cadence and do several a year, you can actually tick off those to-dos because the month before when you’re planning next one, people are going oops, I didn’t do that.
Jason Pufahl 12:38
Yeah, hold them accountable.
Steve Maresca 12:41
I don’t know about you, Linn, but I tend to feel that many incident response plans, business continuity plans, disaster recovery plans, they’re all aspirational. Right?
Jason Pufahl 12:52
And too long, right?
Linn Freedman 12:54
And way too long.
Steve Maresca 12:57
You know, that there’s the old adage, you know, no battle plan survives contact with the enemy. And I think that’s essentially the main thing to underscore, they’re living documents, they need to be treated like living documents. tabletops avoid the, you know, well, liability and the crisis feeling of crisis that an actual incident provides, but it gets you the same outcome.
Jason Pufahl 13:21
And you need to be able to take them off the shelf and use them at the time. I mean, we just looked at one that had to be 40 pages long. And I was lost after page two,
Steve Maresca 13:29
right, so unusable.
Linn Freedman 13:30
So when you’re in the middle of a crisis, which is what a security incident is. Say, you’re in the middle of a ransomware attack, which we’re gonna see a whole lot more of because of the conflict in Russia and Ukraine. When you’re in the middle of that, you’re not looking at a 40 or 60 Page incident response plan, there’s no way you need to know what are we doing? You’ve got to have a cheat sheet. You’ve got to know who to call, you’ve got to know who’s on your plan. And oh, by the way, if you have a ransomware attack, and you can’t get into your contacts, do you have your incident response team on paper somewhere with their cell phone numbers? I mean, that’s, that’s like how nitty-gritty you have to get when you’re in the middle of a chaotic situation, and you can’t have access to any of your data. You need something that’s workable.
Jason Pufahl 14:21
Well, it’s so valuable. You mentioned communications, and I don’t want to go down the path of you all the right things you should do necessarily during an incident but certainly, on our side, every time we’re in the middle of an incident, it’s 50% communications and 50% technical, right? It’s all about managing the expectations internally, managing customer expectations externally. It’s complicated.
Linn Freedman 14:40
And most companies haven’t actually walked through the process that they would take if their customers couldn’t get access to their data; if they couldn’t contact their customers; If they couldn’t do business. They actually haven’t gone through the process of what they would do and who would be responsible for that. And that’s so important, because when it really does happen, then you already know that you already know how you’re going to react.
Steve Maresca 15:09
And some certainly have even, with good intentions, taken steps to, (they believe make their lives a little easier) digitizing records, avoiding paper-based processes, and so forth. And sometimes you need to fall back on that. But if they’re gone, there’s no opportunity,
Jason Pufahl 15:26
Right? Or if you’re not in the office, or if you haven’t taken them home, there are a dozen ways that can be your problem.
Linn Freedman 15:31
Yeah, my tip today for all your listeners is, if you have an incident response team, get all their private emails and all their private cell phone numbers and put it on a piece of paper and take it home.
Jason Pufahl 15:47
So that feels like a good way to wrap. That’s a useful takeaway. And frankly, I like the eye the tip that you made, which was simply just do a tabletop, it doesn’t have to be wildly complicated. You don’t have to make it more than it. Walk through an incident, get a sense of how you might handle it, and then get more formal as you go on. So
Linn Freedman 16:09
yeah, something is better than nothing, that is for sure.
Jason Pufahl 16:13
Fair enough. So I think that note, that’s wise advice right there. Linn, thanks for joining. It’s been a pleasure to have you I really appreciate the insight. Hopefully, as always, you know, people have taken something away from this, have had an opportunity to learn a little bit, and can move forward. So then thank you. Anybody who wants to talk more about tabletops, feel free to reach out to us at LinkedIn- Vancord. We’re happy to have a conversation. We’re happy to help you however, we can. Linn’s obviously a great resource. So maybe we can have a conversation in the future. Linn, thanks.
Linn Freedman 16:46
Thank you.
Unknown Speaker 16:50
Stay vigilant, stay resilient. This has been CyberSound.
500 Boston Post Rd
Milford, CT 06460
Cookie | Duration | Description |
---|---|---|
__hssrc | session | This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
elementor | never | This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
__hssc | 30 minutes | HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. |
bcookie | 2 years | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
bscookie | 2 years | LinkedIn sets this cookie to store performed actions on the website. |
lang | session | LinkedIn sets this cookie to remember a user's language setting. |
lidc | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
sp_landing | 1 day | The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. |
sp_t | 1 year | The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. |
UserMatchHistory | 1 month | LinkedIn sets this cookie for LinkedIn Ads ID syncing. |
Cookie | Duration | Description |
---|---|---|
_gat | 1 minute | This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites. |
Cookie | Duration | Description |
---|---|---|
__hstc | 5 months 27 days | This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
hubspotutk | 5 months 27 days | HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts. |
vuid | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
Cookie | Duration | Description |
---|---|---|
AnalyticsSyncHistory | 1 month | No description |
drift_campaign_refresh | 30 minutes | No description available. |
li_gc | 2 years | No description |
loglevel | never | No description available. |