Running a business in our increasingly interconnected and technology-enabled world has many advantages – from reduced costs and improved productivity to homeworking and flexible hours.
When we aren’t connecting to the next Zoom call from the comfort of our office or sofa, however, there is a less savoury side of this digital revolution that requires our constant attention: cybercrime. The exponential growth of this most modern of criminal activities means the question organisations face is not if a cyber-attack will happen, but when. Therefore, creating a cyber incident response plan is crucial.
The ever-growing frequency, sophistication and impact of these attacks mean businesses can’t afford to simply cross their fingers and hope they aren’t targeted because chances are, they will. Instead, senior executives and the board must ask themselves:
- What would our worst-case cybersecurity incident look like?
- Are we equipped with the required expertise to deal with an attack?
- Do we know who to speak to should the inevitable happen?
- Do we have experts on hand and ready to respond to an incident?
- Do we have the capability to contain and limit the impact of an incident?
When the integrity of a computer network or information system is compromised, the speed and effectiveness of the response will dictate the severity of the disruption, loss and reputational damage it has.
Cyber incident response plan
A cyber incident response plan is a set of actions that enable organisations to detect and respond to attacks – such as malware infections, denial of service, social engineering and insider threats – in a fast, planned and coordinated manner. Unfortunately, not everybody recognises how vital they are until it’s too late – a staggering 70% of organisations currently do not have a plan in place, leaving them wide open for potential cyber-attacks. This is made more concerning when we consider that on average it takes 197 days to detect a breach, giving cybercriminals over half a year to exploit compromised information. It’s, therefore, no wonder the average cost for an organisation that has suffered a data breach is a whopping £2.94 million.
It’s the role of the Chief Information Security Officer (CISO) to act as the driving force behind a cyber incident response plan – these members of the C-suite are an integral cog in the protection of a business. The modern CISO must combine their technical know-how with a business-focused, risk management mindset to establish a comprehensive methodology that’s built on proactive policies and procedures. In fact, obtaining CISO expertise without the hassle of recruitment is one of the main benefits of using the services of a thrid-party vCISO (Virtual Chief Security Officer). By empowering the business to take control of the situation, the CISO can facilitate worthwhile results that can:
- Prevent unauthorised access to data
- Identify attack vectors
- Detect incidents at an earlier stage
- Prevent and isolate malware infections
- Control exposure during an incident
- Minimise operational issues or losses
- Mitigate the risk of future incidents occurring
- Develop a robust defence against attacks
In addition to the operational benefits of having a robust plan in place, there are also legal requirements that must be considered – failure to comply might result in financial penalties:
- GDPR (General Data Protection Regulation): organisations that handle EU residents’ data – such as personal information, browsing data, medical records and sensitive company data – must contain any damage in the event of a data breach and prevent future incidents from occurring. Complying with the tight 72-hour data breach notification window is one of the biggest challenges faced by most businesses. .
- Network and Information Systems (NIS) Regulations 2018: this requires organisations that provide critical services – such as energy, transport, water, banking and healthcare – to handle incidents effectively.
The incident response lifecycle
Organisations that are determined to provide a comprehensive end-to-end response typically follow four distinct phases – known as the incident response lifecycle:
- Preparation: this forms the backbone of any future response process. In this phase, you should adopt a risk-based approach to cybersecurity, by:
- Understanding your technological and business environment
- Identifying and tracking threats
- Documenting risks
- Training employees
- Conducting incident response drill scenarios
- Detection and Analysis: the focus of this phase is to monitor cybersecurity activity, so you are well-placed to detect, alert and report potential incidents.
- Monitor using firewalls, intrusion prevention systems and data loss prevention.
- Detect by correlating alerts within a Security Information and Event Management (SIEM) solution.
- Alert by documenting initial findings and assigning an initial incident classification: Critical (threat to public safety or life), High (threat to sensitive data), Moderate (threat to computer systems), Low (disruption of services).
- Report by enabling regulatory reporting escalations.
- Containment, Eradication and Recovery:
- Containment: stop the bleeding, so the attack doesn’t spread and cause further damage to your business, by implementing your containment strategy. This might be as simple as disconnecting affected devices from the internet.
- Eradication: having contained the incident, find and eliminate the root cause by securely removing all malware, re-patching systems and applying updates.
- Recovery: achieve business as usual again by restoring affected systems and devices, without the fear of another breach.
- Post-Incident Activity: don’t drop the ball by failing to learn valuable lessons from a cyber incident and your response. Determine what worked well in your response plan, and where there were holes. Feed this knowledge back into the preparation phase to complete the cycle and improve going forward.
Businesses that are passive in their response to cyber incidents do so at their peril. This should be a proactive process that is underpinned by structure, not an isolated reactive event. By using the cyber incident response lifecycle as a template for your comprehensive plan, your business can react quickly and effectively to cyber-attacks, instead of hoping for the best.