“It won’t happen to us.”
The first step to failure in information security is the assumption that you and your organization are above being compromised. You can buy the best security awareness training in the universe, employ the world’s top IT and network administrators, implement the industry’s cutting edge prevention technology, and you are still not safe from the constant threat of cyber attacks.
Security incidents happen. They happen often, to organizations of all shapes and sizes, in every country. How you handle an incident is just as important—potentially more important—than how you prevent an incident.
What Is Incident Response?
Imagine you are out to dinner with friends when suddenly a member of your party begins to choke on their food. Do you know what to do? Your reaction in this situation could be the difference between life and death.
Thankfully, information security isn’t necessarily life and death regarding human beings, but it could be life and death for the future of your organization. Incident response is how you react when a security event of any sort has occurred, whether it be a phishing attack, data or financial theft, or even unauthorized physical access to a controlled area of a building.
An incident response plan details how to handle every type of compromise. Think of it as an emergency plan that establishes a set of protocols—a step-by-step policy—to mitigate further damage and increase the success of recovery.
Who Needs An Incident Response Plan?
Everyone. Seriously. It doesn’t matter if you have 10 employees or if you have 10,000. Cybercriminals have no bias toward their targets and victims. If you handle any level of sensitive data and/or finances, you are a target. As cliché as it may sound, failing to prepare is preparing to fail. Incident response plans are for everyone.
Developing An Incident Response Plan in Five Easy Steps
Identify your risks.
Be aware of what kind of data you store and transmit, and the type of accounts you oversee. Get an understanding of why you might be a target. Then familiarize yourself and your team with potential vulnerabilities. Without this knowledge, the probability of suffering a breach increases, while your ability to identify and recover from a breach in a timely manner decreases. Stay informed so you and anyone on your team can recognize and respond to an incident.
Build an army.
You and your team members need to know how to report an incident, and to whom. Do you call the helpdesk? The IT department? Floor manager? Or simply tell a co-worker? These questions should be answered before an incident occurs. The best course of action is to train and assign “incident managers”—individuals who should be the first to know and can react quickly and accurately in any situation. Successful organizations have a chain of command. A successful incident response plan is no different.
Assess the situation quickly and efficiently.
An employee tells you he is locked out of his computer and can’t access files. As it turns out, he’s not alone as several more employees report the same issue. Next thing you know, you are sent a ransom notice that, if not paid by the end of the week, promises to destroy your data.
This is a generic example of a ransomware attack. The decisions you make in the next few minutes could be the difference between a massive compromise in operation, or a full recovery and subsequent success story. Build a team that can accurately determine the source of the issue, identify the severity of the issue, and efficiently provide a solution. Just like in a real-life emergency, time is of the essence. But accuracy is equally important.
Resolve, review, and reinforce.
An incident response plan is more than just identifying security events and recovering from them. Once the incident has been resolved, it’s time to review the process. How did this happen? Could it have been prevented? What are the chances of it happening again? Your investigation of an incident may leave you with more questions than answers, but proper assessment is key so you can accurately reinforce your security to prevent future compromises.
There will be lawyers.
Whenever you’re dealing with a breach where personal information is compromised, there’s a good chance compliance laws were broken. And even if that’s not the case, you’ll want to be armed with enough resources to provide proper service to those who were affected. Building relationships with lawyers and law enforcement is key to this.
Lawyers not only can inform you of any potential legal issues, but they can also prepare all necessary public announcements. Trust us; you’ll want to break the news yourselves and not have a media outlet do it on your behalf.
Getting to know law enforcement should also be a top priority. Most major cities have local government cybercrime divisions that exist to help you. Do some research. Find out who these people are and invite them into your organization. Doing so will only help the remediation process when a breach occurs.
Every modern building in the world has one thing in common: fire escapes. Even though those same buildings have built-in sprinkler systems and direct access to local fire departments, they still provide multiple exits in the event of an emergency. While antiviruses, firewalls, intrusion detection systems, and security awareness training are all necessary and important parts of cyber security, they are also nothing more than sprinkler systems. You still need an exit strategy should your organization come under attack.
Incident response plans are your fire exits. Without them, your recovery efforts will be less effective, and the damage to your organization will be long-term, even fatal. Don’t fall for the “it won’t happen to us” attitude; get your plan in order immediately, so your organization can become an asset in the fight against cybercriminals.