There's much advice given about how to reduce the risk of an attack and the different preventative measures that organisations can put in place. However, with new technologies and routes of entry for attackers, preventive measures alone are not enough. In order to ensure all bases are covered, organisations need to be prepared with a solid security incident response plan. When an incident occurs, it will ensure everyone knows exactly what to do to minimise the impact to their organisation.
Why do some organisations not have incident response plans in place?
Many organisations lack incident response plans for the same reason most people don't get travel insurance before going on holiday, or check their tyre pressure before driving long distances. Most people don't think about these things until it's too late. Developing and implementing a security incident response plan can be time consuming and often costly - two things most organisations do not have. Without a response plan, incidents can escalate quickly and the impact can be severe. An incident response plan gives organisations a much better chance of isolating and controlling an incident in a timely and cost effective manner.
Five key steps to take following a security breach
So, the worst has happened and your organisation has suffered a security breach. What are the first things you need to do to ensure that your risk is minimised?
Don't panic - it may be a natural reaction, but from our experience, it doesn't solve anything. Avoid the temptation to simply pull the plug or turn the machines off. Directly after a breach, things often seem worse than they are. Your main goal should be business continuity. To do this, it's important to establish the nature and extent of the incident. Is it something that has been seen before, such as a common ant-virus incident? If so what steps need to be taken to control the impact of the incident?
2) Data analysis
Carefully analysing the data involved in the incident is crucial to understanding what actually happened. It may sound simple but over the years, we have seen too many cases that are misdiagnosed early on, resulting in incorrect remedial actions. By assigning an expert to handle the incident, you can be sure the responsibility of incident management and coordination is taken care of, so that you can focus on getting your organisation back to its normal state of operation.
One of the biggest issues we see with incident response is a lack of internal communication - from board level down. Depending on the type of incident, it may be that communication with the rest of the organisation and external bodies such as third-party agencies, customers and regulatory authorities is necessary. If that is the case, it's important to ensure communication only occurs through the pre-planned and established channels.
Communication needs to be an on-going process throughout the organisation. When a security incident occurs, everyone needs to be fully trained and aware of their role and responsibilities. Putting security incident playbooks in place for each department can be one way to keep staff aware of what they are and are not allowed to do in the wake of a breach.
4) Resolve and recover
Assuming the incident handler and the technical team assigned to the incident has control, you should be on the way to resolving the issue and heading towards recovery. The road to recovery may involve rolling back disaster recovery (DR) applications, beginning to restore data from backups or simply closing the incident. Whatever the situation, the incident will not be properly resolved until all recovery actions are complete.
5) Lessons learned
Following an incident, organisations can be quick to fall back into routine. It's important that you learn from every security incident to minimise the risk of it taking place in the future. Ask yourself; what can we implement to better protect ourselves? If this happens again, have we done enough to minimise the risk and disruption? Does everyone know their role and are they aware of the role they play in keeping the organisation secure?
One of the first things we introduce when discussing incident response plans with customers is Security Incident Playbooks. This works by identifying key risk areas, determining what working state you are operating in and ensuring everyone is aware of the appropriate actions.
Simple steps, like ensuring all data and devices are properly encrypted, and keeping access to classified information limited, can also minimise the risk of a security incident. Most people think a security incident has to be a major breach, but more often than not they are the result of something much more basic.
Often organisations rely on the IT department to provide a high level of cyber security, but it's rarely the case they have the man power or knowledge to provide the required level of service. By outsourcing incident response, organisations can be sure they have a dedicated team on hand, who know what to look out for and are ready to respond.
To find out more about CNS Group's incident response service, click here.