Have you truly considered what it would take to minimize the impact on your organization following a cyberattack?

You’ve probably heard the phrase, “it’s not a matter of if, but when.” After hearing that phrase, you may have thought to yourself, “I’m too small for a hacker to care about me,” or “I have impenetrable defenses,” or “I don’t have anything worth stealing.”

Let’s dissect them one at a time:

“I’m too small for a hacker to care about me.” This is probably the most dangerous belief because it’s the small to medium sized businesses that, if hit with Ransomware, may incur catastrophic expenses during recovery, forcing them out of business.

“I have impenetrable defenses.” If you read our blog ‘Cybersecurity Risk is a Business Problem,’ you may have read, “Risk, We can’t avoid it, and we can’t eliminate it.” This holds true for every organization, large and small. Organizations that spend tens of millions of dollars on cybersecurity posture management are still susceptible to cyberattacks. Just ask FireEye, one of the world’s top cybersecurity companies.

“I don’t have anything worth stealing.” Often, this is the same company that thinks like the first one. Is your business worth saving? Are student records not worth keeping secret? If unsure, ask the parents or the students themselves. How would your clients feel if they learned their legal history was compromised? Do you accept credit cards, or maintain patient health records? What about your employee’s personnel records or company financial statements? If you answered yes to any of these, then keep reading.

What does an incident response plan have to do with it?

The quicker you can identify, contain, and eradicate the attacker, the lesser the impact will be on the business.

Keys to an effective incident response program:

•  Understand your architecture

   – Know your potential entry points

   – Know where your segmentation boundaries are

   – Know where your networking devices are

   – Know where your security devices are

   – Know where your critical assets and data reside

•  Train your staff

   – Security awareness programs

   – IR Tabletop exercises

   – Threat Intelligence feeds

   – Communication and outreach

•  Write an Incident Response Policy. Have it signed off on, disseminated, and enforced by senior leadership. The policy may include the following:

   – Statement of management commitment

   – Purpose of the policy

   – Scope of the policy (to whom and what it applies and under what circumstances)

   – Definitions and related terms

   – High-level Roles, responsibilities, and levels of authority

   – Incident Identification and Classification

   – Performance measures

   – Compliance

   – Policy Exceptions

•  Develop an incident response plan to include the following:

   – Mission

   – Goals and Objectives

   – Senior management approval

   – Roles and responsibilities

   – Incident categories and classifications

   – Communication specifics and call tree flow

   – Incident response plan activation

   – Location of Procedures and Playbooks

   – Incident response plan phases

        •  Preparation

        •  Identification

        •  Containment

        •  Eradication

        •  Recovery

        •  Lessons Learned

   – Document Control

   – Metrics for measuring the incident response capability and its effectiveness

   – Approach to Lessons Learned following an incident

The Incident Response Policy and Plan should be the foundation for your IR Procedures. The IR Procedures are the step-by-step instructions on what to do if a cybersecurity incident were to arise. Incident Response Playbooks may accompany the Procedures. Playbooks are instructions on what to do in the event of specific attacks, such as malware outbreak, ransomware, or attack on a web server, database, or endpoint.

Once these steps have been well planned, aligned with your organization’s mission, goals, and strategic cybersecurity objectives, and have senior leadership acceptance and signature, it’s time to develop the team’s muscle memory.

What is muscle memory and what does it have to do with Cybersecurity Incident Response?

Muscle memory is what naturally develops when an action or behavior is performed repetitively. Kind of like driving a car. You break when an object gets too close. You put your blinker on before making a turn, well some of us do. You buckle your seat belt when first entering the vehicle. These are all things most people don’t consciously think about.

This is precisely what you want to develop once you’ve created your program, which is done through Incident Response Tabletop Exercises. You don’t want your stressed-out incident responders trying to recall what to do next. It should be automatic and without conscious thought.

The moral of the story is this: even though you may not have budget approval for all the cybersecurity bells and whistles to Identify, Protect, Detect, Respond, and Recover from a cybersecurity incident, you should strongly consider, and champion for, an Incident Response Program.

By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA

Contact us for more information about Incident Preparedness Services from AccessIT Group.

More Blog