Cybersecurity Incident Response Planning is Crucial for Business Survival
Are you ready for the worst to happen? In the hectic jumble of multiple emergency and disaster events in 2020, many businesses realized that they weren’t quite as ready as they thought for emergency operations or cybersecurity incident response – and that’s a problem. By making, implementing, practicing and following a carefully crafted cybersecurity incident response plan, companies can not only stop the damage and begin recovery from a cyberattack, but they also can minimize the impact on their bottom line.
Incident Response Planning Saves Businesses
As cybercrime continues to climb with no downturn in sight, more companies are faced with the possibility of dealing with a cyberattack, and the cost can be devastating. Over 60% of companies that are hit by a cyberattack go out of business. . More than 80% of businesses saw an increase in cybercrime last year, and two in five SMBs were impacted by ransomware. From SolarWinds to the European Volleyball Confederation, the events of the global pandemic and its subsequent flood of cybercrime showed that no organization is an island – and no organization is safe from cybercrime. This means that every business is vulnerable to a cyberattack, no matter how big or small.
Creating a solid cybersecurity incident response plan for the most likely scenarios that your business could face (and a few unlikely ones) can not only shave precious time off of the response to a disaster like a ransomware incident or a data breach, but it can also be helpful as you seek to mitigate other unexpected disasters. It’s also a key player in developing cyber resilience. The IBM/Ponemon Cyber Resilient Organization Report noted that companies with formal security response plans applied across the business were less likely to experience significant disruption as the result of a cyberattack. Over the past two years, only 39% of these companies experienced a disruptive security incident, compared to 62% of those with less formal plans.
The creation of incident response plans at organizations is growing, The study noticed a 44% improvement in the number of organizations that are making and keeping incident response plans, but still only 26% had formal incident response playbooks on hand – and even among those forward-thinking companies, only 17% of them had incident response plans for specific scenarios, detailing the differences in approach and mitigation in something like a ransomware attack or credential stuffing incident. When specific scenario plans do exist, the most common playbooks are for DDoS attacks (64%) and malware (57%), and only 45% had designated plans for ransomware attacks.
Use The Incident Response Lifecycle as a Blueprint
Making an incident response plan isn’t as complex as you may think. While there are several popular guides for incident response plans, the most fundamental industry-standard plan uses the framework developed by the National Institute of Standards in Technology (NIST).
The NIST Incident Response Lifecycle contains four steps:
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
Understanding and adequately accomplishing each step is vital to creating an efficient incident response plan. You can see the agency’s breakdown in the basic NIST Incident Response Planning Guide.
This may be the hardest step because it’s easy to rush through it. The Dale Carnegie maxim “An hour of planning can save you 10 hours of doing” explains exactly why you shouldn’t rush through this step: it’s the step that can save your business in the end. By choosing the right team members and making sure that they have the right training, you can facilitate a strong, fast incident response that minimizes damage. Here is a quick list of the Top 10 things to know about cybersecurity disaster planning.
Create a team
If something like ransomware infects your systems, who gets the first call? Who do they call? Who has access to the things that are needed to triage the problem? Who needs to be informed?
In an emergency, you need to be able to answer these questions quickly and definitively. That’s why every business should start its incident response planning with establishing an incident response team, and setting the hierarchy, responsibilities, and capabilities of that team in stone – in an emergency, you don’t have time to waste on deciding who does what.
Establish a protocol
How exactly will everyone be informed and get their instructions on how to handle the incident – and who is empowered to make hard decisions?
The framework of your plan can use any criteria you choose and be customized for your business. The most important part of this step is to establish the parameters of your planning framework, then use that framework to create your response plan for every incident. Consistency in format and layout for each plan will make it easy for your incident response team to follow it during a disaster, enabling them to stay focused on the next two steps.
Ensure That You have Accurate Intelligence
The automated reporting capabilities of solutions like Dark Web ID, Passly and Graphus are threat intelligence goldmines – and you don’t even have to manually generate them anymore. Have these solutions give you regular, easy-to-read reports detailing dark web credential compromise threats, access and hacking activity and phishing and email activity to keep a weather eye on whet might be headed your way. Today’s smart solutions often gather and analyze their won threat intelligence without IT teams lifting a finger.
DETECTION AND ANALYSIS
Don’t ever sleep on detection. An unfortunate side effect of today’s IT security alert overload is the huge portion of IT staffers that just ignore alerts. more than 45% of respondents said that they regularly turn off high volume alerting features because they’re overwhelming. Almost half of the participants said that they personally investigate 10 – 20 alerts each day, a 12% increase from 2019. Another 25% of respondents said they investigate 21 to 40 alerts each day, up from 14% the year prior, and 66% of survey takers reported seeing a significant increase in alerts since March of 2020
The first step to fixing the problem of overwhelming alerts is to determine which are essential and stop the rest. Another key component of reducing the volume of alerts that a team gets is to make use of today’s smart security automation. For example, Passly featured automated password resets, eliminating the #1 reason for call tickets. Knowing where the problem started(and mitigating the damage) is key to figure out the problem. To continue with the ransomware scenario, this is the step where your experts get a SITREP and find the cause, extent, and location of the damage.
CONTAINMENT, ERADICATION, AND RECOVERY
If you’re using Passly, each staffer will have their own, unique launchpad through the single sign-on feature that enables your IT staff and incident response team to quickly add and remove access remotely. Otherwise, this is where your detective work and forensics from step one inform your decisions.
Can you remove the ransomware? Can you restore your data and systems from backup? What are the top priorities fir preservation. If something has to be sacrificed what’s first in line. What will you do if you can’t?
This is the step where your team decides what the most expedient and effective way of eliminating the problem is for your business. Every business had unique needs and capabilities, so this step may vary dependent on the systems and data affected. You may want to include multiple options that account for each variable that affects the choices that your team makes here.
Where are the backups? Who has access to the systems and software that you need to get back to work? How do you fix the damage?
In our ransomware example, this step is where you’d restore your data from backups, reboot machines or add new ones and reinstall any necessary software. If you aren’t backing up your data, you won’t have the option of restoring it here. More than 60% of businesses lose unrecoverable data in a damaging cybersecurity incident. Be smart and take steps to back up all of your business essentials immediately.
Start with a few basic questions to gauge how your incident response plan performed during the attack and see what you can do to have a more efficient response next time. What went right with your incident response plan? Was this part of a larger third-party-related cybercrime incident? What went wrong with your incident response plan? How can your team improve their performance next time? Were there resources that you needed but didn’t have? Don’t wait to inform officials, you might incur fines. Find out immediately if there’s an obligation to deport or disclose and act accordingly to be filed with the government or industry officials?
After the incident ends and you’ve started getting back to normal, it pays to immediately analyze your incident response plan and your team’s performance. thoroughly review the detailed threat and incident reports that are available to you through the user-friendly remote management tools in Dark Web ID, Passly and other IT Complete solutions. Finding weaknesses in the plan will help you create a more efficient plan for next time – because there will be a next time, so refining your plan matters. SEE VIDEO OF OUR SOLUTIONS IN ACTION>>
Then, spend some time determining what you can do to reduce the chance of this being a problem for your business in the future. In our scenario, a staffer unleashed a ransomware nightmare because they were fooled into interacting with a phishing email, but it could just as easily be a staffer with malicious intent or hackers that strike. How can you prevent that from happening again? What does your staff or iT team need to stave off other cyberattacks?
If you said training, you’re right. Not only do you need to make a plan, you need to practice it. Your staffers also need to be receiving regular security awareness and phishing resistance training. Organizations that send everyone regardless of rank through phishing resistance training at least once per quarter have up to 70% fewer cybersecurity incidents. The newly upgraded BullPhish ID makes that easy with remote deployment of training through a user-friendly, personalized portal that makes the experience painless for everyone. It also includes the capability to use our plug-and-play phishing simulations or create your own to reflect industry threats, including attachments and URLs.
Now take this information and put it to work for your business. Contact one of our experts today to get started.