Planning for the seemingly unlikely event of a severe cybersecurity incident seems unwieldy and time-consuming for many organizations. But consider this: According to the Ponemon Institute, 90% of organizations that go offline due to a cyberattack shutter their windows in the following two years.
A strong incident response plan is clearly a necessity these days. From threats like the recent WannaCry ransomware attack to the Google Docs phishing scam, there are a number of ways a security incident can unfold at your organization. Having a tested incident response plan in your back pocket can make the difference between a swift recovery or a high stress situation where every minute the incident remains unresolved results in more financial or reputational damage.
There are three fundamental components that will help ensure that your company’s incident response plan is a success.
Define security incidents and likely scenarios. While all IT service incidents deserve swift identification and triage, security incidents – which often have malicious intent – must be identified and tackled even more quickly. For example, a server at your company is unexpectedly rebooted in the middle of the day. This could be caused by an innocuous outage or it could be something far more sinister. Perhaps an unknown third party has installed a rootkit, and the system is restarting so changes can be applied allowing that third party unauthorized system access.
As you think through the possible incidents and scenarios, think about security best practices that can be circumvented (such as authentication) and cues from the news as your guide to recent, real threats (such as phishing and ransomware attempts).
What experts and stakeholders will be mobilized to handle all of the security, privacy and legal implications when a security incident occurs? How will your organization recover from a successful phishing attack? How will your organization cope with news of a severe data leak? What will you do once hackers are booted from your system? Play out each possible incident and how you would realistically respond. From there, write your incident response plan and procedures accordingly.
One resource to get you started is a generic incident handling procedure template from the Computer Security Incident Response Team. This is a good baseline document, but you’ll need to tailor it to meet your organization’s specific needs.
Communicate and train on the plan. Once your plan has been developed, reviewed and approved, the roles and responsibilities everyone plays should be disseminated to all relevant parties. An incident can be detected by anyone with the right “visibility.” Your IT team is obviously on the front lines for incident detection and response, but many people in your organization could end up identifying a problem first. Maybe your marketing team, who owns the website, notices some highly suspect traffic one day or encounters issues with the server. Do they know where to go? Any of your end users could click on a link in an email and realize afterwards that it seemed suspicious. Do they know who to call or email?
A hands-on and interactive way to ensure that key stakeholders know what role they play in incident response is to conduct tabletop exercises. A tabletop exercise is usually led by a security subject matter expert who walks a team of diverse stakeholders (from IT, security, management, legal, HR, etc.) through an impactful security incident scenario, facilitating the decisions made and providing feedback afterwards on how well the participants were aware of their responsibilities and the company’s policies. Tabletop exercises are one way of doing “red teaming” because they simulate how internal processes will play out if a real security incident gets reported and escalated.
Proactively mitigate your losses. A security incident that turns into a validated security breach can lead to devastating financial or reputational loss. Such losses are not easy to recover from, and in some scenarios, organizations never fully rebound. The Anthem Healthcare breach of 2015 came with a price tag well into the billions of dollars. And the code-hosting service, Code Spaces, went under in the months following its breach.
In addition to putting preventative best practice technical measures in place and preparing an actionable incident response plan, consider building relationships and lines of communication now with relevant government agencies, external legal counsel, digital forensics firms and potentially procuring cybersecurity liability insurance. All of these measures will be things your Board of Directors will and should expect you to have answers to, and communicating with your Board on these matters is an art unto itself.
In a world where it isn’t a question of “if,” but “when” your company may find itself the target of a cyber incident, a detailed incident response plan will be your lifeline to weathering the storm of security incidents in measurable ways. Executed well, it can help you demystify the what-if scenarios, decrease your panic about who will do what and plan through the worse-case scenarios to make sure you have all the experts and resources you need to handle any security incident scenario.