Every company needs to take incident response planning seriously, as we all learned in 2020
Emergency preparedness is essential for smooth emergency response – and the faster you respond to an emergency, the better. September is National Preparedness Month. As you’re reviewing the other disaster preparedness plans in your life, it’s time to make sure that your incident response planning is still up to date, especially around cybersecurity.
We’ll be covering a different aspect of Cybersecurity Disaster Preparedness Planning every Thursday in September including business continuity planning, incident response planning, cybersecurity planning facts to consider, and lessons learned from the COVID-19 pandemic to give you the information that you need to update your Cybersecurity Disaster Plan for 2021.
Incident Response Planning saves time, money, and your sanity.
Incident response planning can be challenging and confusing. But as we’ve all discovered in 2020, a disaster can come out of nowhere to cause trouble. So, creating a solid cybersecurity incident response plan for the most likely scenarios that your business could face (and a few unlikely ones) can not only shave precious time off of the response to a disaster like a ransomware incident or a data breach, it can be helpful as you seek to mitigate other unexpected disasters.
While there are several popular guides for incident response plans, the most fundamental industry standard plan uses the framework developed by the National Institute of Standards in Technology (NIST).
The NIST Incident Response Lifecycle contains four steps:
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
Understanding and adequately accomplishing each step is vital to creating an efficient incident response plan. You can see the agency’s breakdown in the basic NIST Incident Response Planning Guide.
This may be the hardest step, because it’s easy to rush through it. The Dale Carnegie maxim “An hour of planning can save you 10 hours of doing” explains exactly why you shouldn’t rush through this two-part step.
Create a team
If something like ransomware infects your systems, who gets the first call? Who do they call? Who has access to the things that are needed to triage the problem? Who needs to be informed?
In an emergency, you need to be able to answer these questions quickly and definitively. That’s why every business should start its incident response planning with establishing an incident response team, and setting the hierarchy, responsibilities, and capabilities of that team in stone – in an emergency, you don’t have time to waste on deciding who does what.
Establish a protocol
How exactly will everyone be informed and get their instructions on how to handle the incident – and who is empowered to make hard decisions?
The framework of your plan can use any criteria you choose and be customized for your business. The most important part of this step is to establish the parameters of your planning framework, then use that framework to create your response plan for every incident. Consistency in format and layout for each plan will make it easy for your incident response team to follow it during a disaster, enabling them to stay focused on the next two steps.
DETECTION AND ANALYSIS
The first step to fixing the problem (and mitigating the damage) is to figure out the problem. To continue with the ransomware scenario, this is the step where your experts get a SITREP and find the cause, extent, and location of the damage.
- What is the problem? In our scenario, it’s ransomware, so we’ll be starting at the most likely point of infection, email accounts, because most ransomware attacks start with a phishing email (like 90% of cybersecurity threats do).
- What caused the problem? In this scenario we’ll say an employee got caught by a phishing email and downloaded a COVID-19 threat map that he shouldn’t have.
- Where did the damage start and where has it spread? We determine that the ransomware originated from that employee’s email account. That then enables us to see where else it may have migrated by doing some basic forensics.
CONTAINMENT, ERADICATION, AND RECOVERY
If you’re using Passly, each staffer will have their own, unique LaunchPad that enables your IT staff and incident response team to quickly add and remove access remotely. Otherwise, this is where your detective work and forensics from step one inform your decisions.
Can you remove the ransomware? Can you restore your data and systems from backup? What will you do if you can’t?
This is the step where your team decides what he most expedient and effective way of eliminating the problem is for your business. Every business had unique needs and capabilities, so this step may vary dependent on the systems and data affected. You may want to include multiple options that account for each variable that affects the choices that your team makes here.
Where are the backups? Who has access to the systems and software that you need to get back to work? How do you fix the damage?
In our ransomware example, this step is where you’d restore your data from backups, reboot machines or add new ones, and reinstall any necessary software. With Passly’s Secure Shared Password Vaults, companies are more easily able to make sure that staffers have access to essential administrator and privileged user credentials, but they’re stored securely to keep them safe from cybercriminals.
Is there reporting to be filed with the government or industry officials? What went right with your incident response plan? What went wrong with your incident response plan? How can your team improve their performance next time?
After the incident ends and you’ve started getting back to normal, it pays to immediately analyze your incident response plan and your team’s performance. Finding weaknesses in the plan will help you create a more efficient plan for next time – because there will be a next time, so refining your plan matters.
Then, spend some time determining what you can do to reduce the chance of this being a problem for your business in the future. In our scenario, a staffer unleashed a ransomware nightmare because they were fooled into interacting with a phishing email. How can you prevent that from happening again?
- By increasing security awareness training. Using a phishing resistance training tool like BullPhish ID prevents employees from being fooled into interacting with a suspicious message by cybercriminal tricks. Security awareness training reduces your company’s chance of experiencing a cybersecurity incident by up to 70%.
- By adding automated phishing defense to your security stack. Graphus provides three crucial security layers, including Phish 911, an automatic analysis assistant that warns staffers when it determines that an unexpected email may be untrustworthy.
Practice Makes Perfect
Solid, clear, sensible incident response planning will save you time and headaches in an emergency – and save money by preventing expensive response and recovery mistakes. Review your plan and practice your incident response at least once per year in order to make sure that it still fits your needs. By adequately planning ahead for cybersecurity incidents, you’ll have confidence that your team is ready for anything.