In the game of cybersecurity, betting the farm on an ironclad perimeter defense is a losing strategy.
“There is a good chance that hackers are already in your system,” a privacy attorney recently told Data Breach Today. “Your focus should turn to not only protecting your perimeter but also identifying hackers within your network and limiting their ability to remove data.”
Many “first identifiers” of cybersecurity incidents are unsure of what to do when they see a suspicious message or alert. Unfortunately, in those first critical moments, the incident can grow from a minor inconvenience into a major catastrophe.
This Is Not a Cybersecurity Test
Given that 100% cybersecurity protection is impossible — or at least unrealistic — employees need to know how to respond to and recover from a cybersecurity event. An incident response and recovery plan (typically created by a steering committee with broad representation throughout the company) should spell out how the organization will:
1. Contain the threat.
In the event of a suspected breach, the first objective is to limit the impact. Each person who might discover a cybersecurity incident must know the important steps that will keep that attack from propagating throughout the network. Just as vital, those actions must preserve any forensic evidence. For example, if an employee encounters an infected machine, then in most cases, the device should be disconnected from the network without powering it down. The employee should then immediately call IT support or the company’s designated security officer.
The proper incident response depends on the type of attack vector and the risk rating of the digital assets at stake. In our previous example of an infected machine, disconnecting the device is an appropriate response because the files it contains could be high-value digital assets. Additionally, this response is appropriate because the attack occurred on a single machine. By contrast, a network-level attack — such as a distributed denial of service (DDoS) attack, which makes a network unavailable to its users — requires more response planning. Such planning includes implementing monitoring tools and conducting scenario-based testing to equip security personnel to make response decisions quickly.
At a minimum, anyone who could detect a cybersecurity attack must know how to complete an incident report. Employees should also know their responsibility to notify management, the board, customers, and regulators.
Business must continue after a cybersecurity attack. A recovery plan focuses on returning to normal operations as quickly as possible and reducing the likelihood that such an event will occur again. Recovery plans should include ongoing monitoring procedures to verify that the issue is fully resolved, as well as integrate any lessons that may help prevent similar circumstances in the future.
Additionally, a recovery plan should include a post-breach analysis and meeting. The analysis should address additional mitigation strategies required to stop or prevent an attack. The purpose of the meeting, which should be conducted within 24 to 48 hours of the attack, is to debrief the security team and company stakeholders while conducting a risk assessment to gauge the likelihood of a future attack.
Of course, it is not enough to simply have a recovery plan in place. Organizations should also conduct scenario-based testing to help ensure that their planned strategies will work against an attack.
Store a copy of the incident response and recovery plan in a location outside of the local network to ensure that you can access it — and keep it secure from cyberattackers.
Assembling the Right Cybersecurity Playbook
Appropriate incident response and recovery procedures are essential components of a comprehensive information security program. They can also mitigate the effects of an attack and reduce the likelihood of future breaches. Contact CRI’s cybersecurity professionals for help designing and implementing your information security playbook. Contact CRI’s cybersecurity professionals for help designing and implementing your information security playbook.