Have you ever had a look around your office and actually made a note of how much of your equipment is connected to a network? Go ahead and do it now. Your PCs or laptops, obviously. Your printers. Copiers and scanners. Tablets for when you need to be on the move.
According to the global CyberEdge Group 2020 Cyberthreat Defense Report, 86% of the organisations surveyed were affected by a successful cyberattack. This is a statistic that doesn’t seem so impossible when you find out that cybercriminals are now targeting computers and networks at a rate of one malicious attack every 39 seconds.
With so many access points and cybercriminals getting more sophisticated every day, the odds that your company will experience a cyber security incident are high.
Now ask yourself – is your company prepared to handle a cyber security incident when it happens? Does your cyber security strategy include a detailed cyber security incident response plan (CSIRP) that will halt the damage that a cyberattack is doing, begin the recovery process and minimise the impact it has on your bottom line?
With so many different cyber threats out there, crafting a cyber security incident response plan may seem like a complex task. But it is a lot simpler than you’d think if you use the framework provided by the US-based National Institute of Standards in Technology (NIST).
Cyber security incident response planning guide
Preparation
This phase forms the basis of your entire CSIRP and is crucial to protecting your company in the event of a cyber security incident. It will include identifying who needs to be in the response team and making sure employees are fully trained on their roles and responsibilities when an incident occurs. You’ll need to have clear and easy-to-follow documentation in place, as well as ensuring that any resources (finances, software, etc.) required to execute the plan have been pre-approved.
The Australian Cyber Security Centre (ACSC) has compiled detailed advice on effective ways to mitigate the damage of some well-known cyber security incidents, and it is a great starting point for those who don’t have a CSIRP in place yet.
Identification
Also known as detection, this phase involves two parts. First, you’ll need to put various intrusion detection systems and firewalls in place for your network – this process can fall under step one. Then you’ll require a threat intelligence system that analyses current cyber threat trends and common tactics being used by known cyber attackers. There are smart solutions that will collect this data, analyse it and provide simple, detailed reports without you lifting a finger.
Containment
Once you have identified that you are under attack, you need to stop the attackers from advancing further into your system and contain the damage they may have already done. The first step here will often be to disconnect the affected device or system from your main network. So invest in the tools you’ll need to do that, both onsite and remotely. And make sure you have both short-term and long-term containment strategies prepared. Be aware that you’ll probably need different containment strategies for different types of incidents.
Eradication
This phase is about removing every trace of the threat from your network. This would involve things like deleting malware, disabling compromised user accounts and evaluating all the systems that may have been affected. This is also the phase where you identify the specific vulnerability that was exploited by the attackers and neutralise it. Remember that attackers will probably try to replicate the attack to regain access, or use a similar attack on a different device or system in your network.
Recovery
For some companies, the eradication and recovery phases may happen simultaneously. Once your systems or devices are fully patched and protected, you need to start bringing them back into normal operation. This step often includes restoring software, files, databases and more from clean backups so your system can return to full functionality without missing a beat. Also, monitor your systems closely for a set period to be sure the threat was really eliminated and the attackers no longer have any access to your system.
Review
Also known as “Lessons Learned,” this phase is often overlooked by a company that survived a cyber security incident. During this phase, the incident response team needs to meet with the appropriate managers, department heads or partners to determine how to improve future handling of cyber security incidents. This will involve evaluating how effective your current policy and procedures were while the incident was occurring, identifying where improvements can be made, and updating employee training as needed.
Data breaches can cost Australian companies an average of $276,323every time they happen. While your first and last line of defence against cybercriminals will always be your employees, ensuring they receive regular updates and training on cyber security and common cyber threats is essential.
But when all else fails, having an established cyber security incident response plan in place could be all that saves your business from catastrophic consequences. So use this information and get your CSIRP in place today. And if it seems too overwhelming, remember there are experts like Intrix who can handle the whole process for you.
