There is a day that we all hope will never come: the day we need to respond to a major cybersecurity incident.
While no one expects it will happen to them, the statistics tell a sobering story. Attacks such as ransomware continue to rise, with more than 600% increase in cybercrime since the onset of the COVID-19 pandemic, and ransom demands reaching hundreds or thousands or millions of dollars. On top of that, 70% of cyber attacks target small to mid-sized businesses, according to the National Cybersecurity alliance.
A serious incident can happen to even the most well-protected organization, as today’s hackers are armed with sophisticated tools and tradecraft that can easily be bought on the dark web. So what’s a business to do?
Prepare.
Smart organizations know that it makes sense to have a plan in place to handle events that are low likelihood, but high impact. While preparing for incidents might seem like a daunting task, there are a few simple things that every organization should do to ensure they’re prepared to handle a significant cybersecurity incident.
Winston Churchill is credited with saying: “He who fails to plan is planning to fail.” A Business Continuity Plan (BCP) is your roadmap to ensuring that your business can keep operating when disaster strikes.
Disasters can come in many flavors: an earthquake, fires, flooding, or a cyber attack. If a disaster strikes your business, your first concern should be your customers. It’s critical that business operations continue through an incident. Customers who are not being served well are likely to explore other options such as your competition, compounding your challenges by cutting into revenue at a very vulnerable time. A good BCP ensures you have the means to provide customer service, take and fulfill orders, and perform other critical business functions.
A critical component of your BCP is your Disaster Recovery Plan (DRP). Where the BCP focuses on the overall functions of your business, the DRP focuses on the process for recovering technical operations. It ensures that you have mechanisms to recover important data that may be lost or encrypted, can re-establish networks and communications that may be out of commission, and have means to restore access to critical applications and infrastructure.
With these basics out of the way, it’s time to reach out to your legal counsel and/or insurance provider to have a conversation about how they can help you respond to a significant cybersecurity incident. They will help you to understand:
When and how to engage with external incident response professionals. Not all incidents are created equal. In some instances you might choose to simply clean up the cyber mess and get back to work. In others, you may benefit from the help of seasoned experts to ensure you’ve got a complete understanding of the scope of the incident, are able to properly contain and eject the intruders, and fully understand the root cause of the incident to ensure it can’t happen again. Law firms and insurers maintain strong relationships with incident response firms that can engage quickly when you need it most.
When and how to seek help from law enforcement. If your storefront was robbed or vandalized, one of your first actions would be to call the police. Unfortunately, in the cyber world, it can be tricky to know what’s worth reporting, and who to report it to. Law firms and cyber insurers have a great deal of experience, and can ensure you get the law enforcement help you need in a timely manner.
How to maintain privilege and protect yourself from lawsuits. Any time there is a significant breach and client data or operations are impacted, your organization is at risk of a lawsuit. Your legal counsel can help you understand how and with whom you should communicate to ensure that details of your breach and the subsequent internal investigations don’t become discoverable artifacts that hurt you down the road.
Our final step in preparing for a cyber incident will be to craft our Incident Response Plan. This provides a proscriptive blueprint for leadership and staff to follow when an incident occurs. Incident response can be a stressful and chaotic time, with a lot of things happening very quickly. Having a documented plan of action will help to ensure that all the participants have a defined part, which in turn helps them to make good decisions.
Your incident response plan should lay out the different responsibilities of the parties who have a role in responding to an incident, and then outline the incident response process. The process should highlight steps not only for the staff who are actively investigating and responding to the threat, but also guidance for notification for internal and external stakeholders such as the Board of Directors, regulators, customers, and the general public.
A variety of templates are available to help you build an incident response plan that works for your organization. The US National Institute of Standards and Technology (NIST) has published a comprehensive guide to incident handling (NIST SP 800-61). A shorter, more digestible template is available from Berkeley University. You might also like to review the ContraForce eBook: The Anatomy of a Great Threat Response.
With all our plans in place, it’s tempting to file them on a shelf and consider the job is complete. Not so fast. Documented plans don’t do anyone any good if they simply gather dust, You need to be ready to activate them at a moment’s notice, with confidence that the plans are effective. Once your planning phase is complete, it’s time to put them to the test.
Training. A wide variety of staff will play a part when responding to an incident, including executives, IT operations, auditors, and more. Everyone with a role to play will need some training to ensure they know what’s expected of them, and that they’re not caught off guard when the time comes.
Recovery exercise. Having regular backups is clearly important. It’s equally important to know how to effectively restore backups when and if it becomes necessary. Performing regular recovery exercises ensures that all the necessary technical components are properly configured, and that you and your staff are well acquainted with operating them.
Cybersecurity tabletop exercise. Incident response is team sport; practice drills go a long way toward ensuring the team works effectively together. Too often organizations pull their dusty incident response plan from the shelf for the first time in the heat of battle, creating more chaos than calm. A tabletop exercise brings all the stakeholders together to role-play a simulated incident, giving everyone an opportunity to think through their actions, and iron out the kinks, in a safe environment.
Review and update. Things change. Organizations merge and shift structure. New regulations bring mandates, and new technologies bring opportunities for automation and streamlining processes. It’s important to regularly review all of your plans to ensure that the process you defined continues to meet your needs for the future.
Still daunted by the prospect of a cybersecurity incident? ContraForce can help. ContraForce provides comprehensive cybersecurity designed to help small and midsized enterprises build strong cybersecurity programs. For more information on our platform or managed service offerings, visit us at contraforce.com.