A recent survey carried by Nationwide Insurance showcased something very odd. Of the surveyed small businesses, 63 percent said they have been attacked by cybercriminals. However, 79 percent of the respondents did not have any incident response process in place. Cybercrime is a harsh reality. It’s not a question of whether you will be hit by a cyberattack, it’s only a matter of when. Eventually, you will upgrade your security systems and make them robust enough to foil advanced hack-attempts. The critical question is — can you do it before the attack! Preparation is the only solution, and this guide to preparing a cyberattack response plan can help you avoid the pain.
Taking stock — Processes, datastreams, people, devices
The thing with cybercrime is – it’ll follow the path of least resistance. Your business is as secure as your least secure application, process, data repository, or device. To build a robust and future-ready cyberattack response plan, start like a baby. Leaders of business’ digital security programs need to start by taking stock.
- Leaders from each department must be a part — engage with them to enlist all business processes, product lines, and services provided.
- Get all the details about the different business process and the kind of data they create and the applications in use — and who uses them.
- Evaluate the compliance requirements you need to abide by, related to the nature of your data, the method of storing and sharing it, and know all the geographies you operate in, because each one may have different requirements for handling data breaches.
- All this information must be regularly upgraded, so that your business’s internal risk management team or an external managed security service provider can build comprehensive risk mitigation plans.
Taking stock (continued) — Security resources
The next phase of your cyberattack response plan is to continue the stock-taking exercise. This time, though, the focus is on taking stock of the currently available security resources.
Corresponding to each disparate “unit” of information identified as relevant for the organization’s security program, find out:
- The current methods of digital security in place.
- The number of people responsible for the security preparedness of the unit.
- The external resources (consultancy, managed services) available for the unit’s security.
Apart from this, program leaders would do well to:
- Assign priorities and categories (as per criticality) to each unit.
- Challenge how risks are being anticipated, identified, and reported — today.
- Identify the impact of outstanding risk exposure, resulting from lack of adequate coverage.
At the end of this, leadership will be in a good position to evaluate how the organization is currently placed in terms of its readiness for cybercrime.
Build an incident response plan
The homework is now done. With highly contextual information available on the planning desk, it’s time for security executives to devise an incident response plan. At this stage, watch out for a common mistake. Your business’s security incident response plan should be tailored for your organization. Picking up a template and filling in the blocks, even with diligence and desire, is a questionable practice. In fact, to build yourself a highly relevant and reliable plan – that’s why you invested resources in the first two phases — right?
Begin by reviewing the risks — regulatory, competitive, and financial. Talk about the responsibilities of external service providers, which is highly important in the context of the cloud-heavy digital services state that most businesses find themselves in. Ask — what are the current incident response policies, if any? How relevant are they? How often (and reliably) have they been tested?
All these efforts feed into your incident response plan. Here’s more on how you can prepare a robust and reliable cyberattack response plan.
Part 1 — Detection
This part of the plan captures details of actions to be taken once an incident is identified. Must include:
- Proper guidelines on documentation of information.
- Communication channels to be adopted.
- Communication matrix: The people and their hierarchy, in terms of who should be informed first.
- Roles and responsibilities of executives in the security response team.
- Identification of media representative — the single point of contact between the outside world and the organization, during the time it’s grappling with the incident.
Part 2 — Analysis
This part of the plan outlines best practices to make help managers decide on aspects such as:
- The right people are put together to analyze the security incident.
- The frequency of follow-ups that the incident leader must do to make sure the analysis doesn’t get stuck anywhere.
- The mechanism for granting special accesses and privileges that analysts might need to speedily respond to the incident
Part 3 — Containment, eradication, and recovery
This part of the plan covers details of the actions people need to take for the remediation of the situation:
- Building workarounds to ensure business continuity, and to arrest the flow of the damage caused by the security breach.
- Re-prioritizing the work of IT teams to make sure they have adequate resources to help business teams regain access to lost information.
- Quickly remedying the identified problem (for instance, upgrading an application with the latest security patch or the mass-changing of passwords.)
- Intelligently expanding the scope of checks after addressing the burning problem, and leveraging the communication matric established in Part 1 to manage internal communications.
- Preparing a disclosure case to reveal the news of the security breach to the public and regulatory authorities.
Part 4 — Post-incident actions
A lessons-learned meeting, adequately timed after the incident, is a step in the right direction. It should also become an opportunity to challenge the reliability of your incident response plan and to identify scope for improvements in it.
If one or more employees were responsible for the laxity that led to the data breach, you must find out what they did or didn’t do and ensure the causes that led to the failure are never repeated again.
A cyberattack response plan is not optional
Not only are data breaches getting extremely common, but many of them are now targeted exclusively at businesses, because of the “value” that cybercriminals can draw by stealing data and holding operations to ransom. Be prepared, there’s somebody out there plotting to sneak in and attack your business soon. If you don’t have a cyberattack response plan today, you’d better have one by tomorrow.
Featured image: Flickr / Ecole Polytechnique