[author: Stephen Haley]
In the past few years, the risk of a major cyber incident impacting the operations of businesses large and small has increased significantly. Our world is changing before our eyes and, in many ways, is contributing to our increased risk. Geopolitical events and enhanced global instability have heightened our awareness of the need to protect core business operations from a cyber security incident. Being proactive in our approach and having a robust, updated Incident Response program is key to effectively managing the risks associated with current and future impacting cyber security incidents.
While some organizations have robust Incident Response programs and are better prepared to recover from and sustain business as usual after a cyber incident, many companies have not addressed the increased and potentially existential risk to continued operations. A well-documented and thorough Incident Response program helps prepare organizations for identifying, responding to, handling, and recovering from adverse events.
What is an Incident?
An incident, by definition, is an occurrence that can disrupt or cause a loss of operations, services, or functions.
Here are some examples of common incidents that interrupt an organization’s business operations or its ability to provide services effectively:
- Unauthorized access to a system
- Data Breaches
- Successful social engineering attacks
- Malware, phishing, spamming, spoofing, spyware, trojans, and viruses
- Denial-of-service and distributed denial-of-service attacks
- Website defacement
- Financial Fraud
What should you do?
The development and implementation of a modern, robust incident response program that encompasses people, technology, and threat intelligence to prevent, prepare for, mitigate, and recover from such events are key to an organization’s continued operations.
At a minimum, a complete incident response program should encompass the following areas and domains.
- Risk Assessment – Serves as the foundation for Incident Response and Contingency Planning. A risk assessment identifies the potential threats to an organization factored by the impact on the organization when such an event does occur. Incident Response planning incorporates the results of risk assessments and develops a strategy for addressing likely and impactful threats.
- Incident Policy – Details the requirements of a robust Incident Prevention and Response plan.
- Incident Response Plan – Provides direction on responding to, containing, remediating, and recovering from an incident. Plans should include specific strategies for handling different types of scenarios.
- Employee Awareness – Once developed, you need to ensure all impacted employees are aware of and trained on the plan. Employees must be prepared to identify and effectively communicate an incident occurrence.
- Tabletop Exercises – Uncovers issues you may experience during a simulated scenario before an actual incident happens. These exercises allow the organization to evaluate the protection measures, preparation tactics and procedures, and mitigate gaps in a risk-free environment.
- Incident Prevention Plan – The best defense against an incident is to prevent it from occurring in the first place. While not all incidents can be prevented, there are steps and controls that an organization can take to reduce the chances of an impactful incident from occurring. Some of these contingencies include:
- Security Awareness Training
- One of the most efficient ways to protect against cyber-attacks and all types of data breaches is to train your employees on the cyber threat landscape, and to verify the effectiveness of the training
- Regularly monitor and audit your network
- Continuous monitoring has emerged as an essential factor in minimizing risk by utilizing repeatable processes to detect and respond to threats
- Protect access to critical systems and data
- Use the principle of least privilege access and implement multifactor authentication (MFA)
- Ensure the security of your data through regular backups
- Make sure that your backups are thoroughly protected and encrypted, and a secondary copy is stored offsite in a protected environment
- Incorporate a strong patch management solution and cadence
- Minimizing vulnerabilities through a regular patch management cadence and ensuring participation by all members of the organization
In our experience responding to cyber incidents, we have found a direct correlation between the time it takes to react to an attack and the cost associated with recovering from one. By implementing the measures covered above, you will increase your organization’s ability to respond to and recover from a cybersecurity incident swiftly and efficiently.