In the security world you can distinguish businesses into 2 types; One, those who have suffered a cyber attack and Second, those who are yet to come across one. The point here is to be prepared regardless of what category you fall in, as cyber attacks are an unfortunate reality of today’s business landscape.
So how do you prepare for one? It can happen to any business at any given point, right?
Well, ofcourse having a robust security framework is a must, but you should also have a step-by-step plan in place that provides an outlines to all the important parties on how to deal with an incident. A clear process will ensure you are methodical and focused in your response which saves time and result to lesser impact on the business. The plan is referred to as an Incidence Response Plan and we’ll go into more detail below on some things to consider when preparing one.
The plan should be simple, accessible by relevant parties and outlines all steps and procedures in the process,. Nothing too complicated, just preparing checklists of task to complete.
Do you have an Incident Response team ready to take charge? The plan should document all members who will be part of this team. These are the people who are tasked with managing an incident; they should be empowered and have the ability to act quickly without having to seek further authorisation. All staff across departments should be familiar with this team’s identity, their contact details and responsibilities within your business.
You should also keep a crisis communication plan in handy. An effective communication plan ensures panic and mistrust is minimised, reducing damage to your reputation, and relevant parties will know what their job scope is like in this situation. Think about who your internal and external stakeholders are and how and when you’ll keep them informed. Write a contact list so you can quickly identify and contact those stakeholders.
Regardless of how big or small your business is (Yes, small businesses are very much succumbed to breaches as well), or whether you operate within the financial, legal, banking or other industries make sure you understand the nature of the attack before you react to it. Identify the impact of the attack, the type of attack, the networks/systems affected, the stage and origin of the attack and the type of data impacted. The results will shape how the Incident Response Team takes action. Having advanced endpoint protection and response (EDR) systems or security monitoring and logging solutions like Google Security Operations deployed makes the job of understanding an attack much easier.
Once you’ve understood the attack, you should move to contain it by stopping it spreading to other systems. Ensure to take forensic snapshots of infected systems and logs are kept for investigation purposes.
You can then move on to eradicate the attack by identifying and eliminating the root cause to ensure the environment is secure to proceed with the recovery. The specific steps taken will depend on the nature and type of attack.
With the attack eradicated, you can proceed recover systems to full working order. This step can take some time. Systems are rebuilt/reinstalled, files are replaced, patches are installed.
Incident response doesn’t stop with eradicating the attack and recovering systems. A ‘lessons learned’ post-op meeting should be conducted thereafter, and write an Incident Report, including any recommendations to improve the response process and stopping the incident from happening again. Perhaps your endpoint protection let through some simple malware so you need to investigate more advanced protection. Or an employee clicked on a suspicious link so you need to roll our awareness training.
If you’ve decided you want to write your own Incident Response Plan you will find more guidance on the CertNZ website. But if it all sounds a bit complicated or you don’t have time, you can always contact us for a chat!