Cybersecurity Disaster Preparedness 101: Incident Response Planning
Every company needs to take incident response planning seriously, as we all learned in 2020
Emergency preparedness is essential for smooth emergency response – and the faster you respond to an emergency, the better. September is National Preparedness Month. As you’re reviewing the other disaster preparedness plans in your life, it’s time to make sure that your incident response planning is still up to date, especially around cybersecurity.
We’ll be covering a different aspect of Cybersecurity Disaster Preparedness Planning every Thursday in September including business continuity planning, incident response planning, cybersecurity planning facts to consider, and lessons learned from the COVID-19 pandemic to give you the information that you need to update your Cybersecurity Disaster Plan for 2021.
Learn how to defeat terrifying cybersecurity monsters to keep systems & data safe in a dark world! READ IT IF YOU DARE!>>
Incident Response Planning saves time, money, and your sanity.
Incident response planning can be challenging and confusing. But as we’ve all discovered in 2020, a disaster can come out of nowhere to cause trouble. So, creating a solid cybersecurity incident response plan for the most likely scenarios that your business could face (and a few unlikely ones) can not only shave precious time off of the response to a disaster like a ransomware incident or a data breach, it can be helpful as you seek to mitigate other unexpected disasters.
While there are several popular guides for incident response plans, the most fundamental industry-standard plan uses the framework developed by the National Institute of Standards in Technology (NIST).
The NIST Incident Response Lifecycle contains four steps:
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
Understanding and adequately accomplishing each step is vital to creating an efficient incident response plan. You can see the agency’s breakdown in the basic NIST Incident Response Planning Guide.
10 Essential Cybersecurity Disaster Facts:
- 41% of respondents in a survey of business owners had a cybersecurity mishap related to COVID-19
- 94% of executives say their firms have experienced a business-impacting cyber-attack or compromise within the past 12 months
- 47% of businesses reported experiencing five or more attacks in the last 12 months
- 78% of respondents said they expect an increase in cyber-attacks over the next two years
- 63% of security leaders admit it’s likely their systems suffered an unknown compromise over the past year
- 65% of attacks involved operational technology assets
- 21% of companies have adopted formal, enterprise-wide security response plans
- 74% have ad-hoc plans or no plans at all for any type of incident
- Only 39% of organizations with a formal, tested incident response plan experienced an incident, compared to 62% of those who didn’t have a plan
- Having a tested incident response plan can save 35% of the cost of an incident.
Are you ready to take back control of cyberattack risk from the villains on the dark web? This webinar shows you where to start. WATCH NOW>>
PREPARATION
This may be the hardest step, because it’s easy to rush through it. The Dale Carnegie maxim “An hour of planning can save you 10 hours of doing” explains exactly why you shouldn’t rush through this two-part step.
Create a team
If something like ransomware infects your systems, who gets the first call? Who do they call? Who has access to the things that are needed to triage the problem? Who needs to be informed?
In an emergency, you need to be able to answer these questions quickly and definitively. That’s why every business should start its incident response planning with establishing an incident response team, and setting the hierarchy, responsibilities, and capabilities of that team in stone – in an emergency, you don’t have time to waste on deciding who does what.
Establish a protocol
How exactly will everyone be informed and get their instructions on how to handle the incident – and who is empowered to make hard decisions?
The framework of your plan can use any criteria you choose and be customized for your business. The most important part of this step is to establish the parameters of your planning framework, then use that framework to create your response plan for every incident. Consistency in format and layout for each plan will make it easy for your incident response team to follow it during a disaster, enabling them to stay focused on the next two steps.
Learn why ransomware is today’s nastiest threat and how to defend against it in Ransomware 101. READ IT>>
DETECTION AND ANALYSIS
The first step to fixing the problem (and mitigating the damage) is to figure out the problem. To continue with the ransomware scenario, this is the step where your experts get a SITREP and find the cause, extent, and location of the damage.
- What is the problem? In our scenario, it’s ransomware, so we’ll be starting at the most likely point of infection, email accounts, because most ransomware attacks start with a phishing email (like 90% of cybersecurity threats do).
- What caused the problem? In this scenario we’ll say an employee got caught by a phishing email and downloaded a COVID-19 threat map that he shouldn’t have.
- Where did the damage start and where has it spread? We determine that the ransomware originated from that employee’s email account. That then enables us to see where else it may have migrated by doing some basic forensics.
50% of IT pros do not believe their organization is prepared to repel a ransomware attack. Is yours? Build stronger defenses with the strategy in Ransomware Exposed. DOWNLOAD NOW>>
CONTAINMENT, ERADICATION, AND RECOVERY
Containment
Has the ransomware spread? Can you put the brakes on it and prevent it from going anywhere else? What systems and data did the affected computer have access to? Can this incident be handled remotely?
If you’re using Passly, each staffer will have their own, unique LaunchPad that enables your IT staff and incident response team to quickly add and remove access remotely. Otherwise, this is where your detective work and forensics from step one inform your decisions.
Eradication
Can you remove the ransomware? Can you restore your data and systems from backup? What will you do if you can’t?
This is the step where your team decides what the most expedient and effective way of eliminating the problem is for your business. Every business had unique needs and capabilities, so this step may vary dependent on the systems and data affected. You may want to include multiple options that account for each variable that affects the choices that your team makes here.
Recovery
Where are the backups? Who has access to the systems and software that you need to get back to work? How do you fix the damage?
In our ransomware example, this step is where you’d restore your data from backups, reboot machines or add new ones, and reinstall any necessary software. With Passly’s Secure Shared Password Vaults, companies are more easily able to make sure that staffers have access to essential administrator and privileged user credentials, but they’re stored securely to keep them safe from cybercriminals.
Go inside the world of hackers and see how it really works with these true tales of cybercrime undercover operations! WATCH NOW>>
POST-INCIDENT ACTIVITY
Is there reporting to be filed with the government or industry officials? What went right with your incident response plan? What went wrong with your incident response plan? How can your team improve their performance next time?
After the incident ends and you’ve started getting back to normal, it pays to immediately analyze your incident response plan and your team’s performance. Finding weaknesses in the plan will help you create a more efficient plan for next time – because there will be a next time, so refining your plan matters.
Then, spend some time determining what you can do to reduce the chance of this being a problem for your business in the future. In our scenario, a staffer unleashed a ransomware nightmare because they were fooled into interacting with a phishing email. How can you prevent that from happening again?
- By increasing security awareness training. Using a phishing resistance training tool like BullPhish ID prevents employees from being fooled into interacting with a suspicious message by cybercriminal tricks. Security awareness training reduces your company’s chance of experiencing a cybersecurity incident by up to 70%.
- By adding automated phishing defense to your security stack. Graphus provides three crucial security layers, including Phish 911, an automatic analysis assistant that warns staffers when it determines that an unexpected email may be untrustworthy.
Practice Makes Perfect
Solid, clear, sensible incident response planning will save you time and headaches in an emergency – and save money by preventing expensive response and recovery mistakes. Review your plan and practice your incident response at least once per year in order to make sure that it still fits your needs. By adequately planning ahead for cybersecurity incidents, you’ll have confidence that your team is ready for anything.