Cybersecurity Incident Response Planning is Crucial for Business Survival

Are you ready for the worst to happen? In the hectic jumble of multiple emergency and disaster events in 2020, many businesses realized that they weren’t quite as ready as they thought for emergency operations or cybersecurity incident response – and that’s a problem. By making, implementing, practicing and following a carefully crafted cybersecurity incident response plan, companies can not only stop the damage and begin recovery from a cyberattack, but they also can minimize the impact on their bottom line.

Incident Response Planning Saves Businesses

As cybercrime continues to climb with no downturn in sight, more companies are faced with the possibility of dealing with a cyberattack, and the cost can be devastating. Over 60% of companies that are hit by a cyberattack go out of business. More than 80% of businesses saw an increase in cybercrime last year, and two in five SMBs were impacted by ransomware. From SolarWinds to the European Volleyball Confederation, the events of the global pandemic and its subsequent flood of cybercrime showed that no organization is an island – and no organization is safe from cybercrime. It also means that every business is vulnerable to a cyberattack, no matter how big or small.

Creating a solid cybersecurity incident response plan for the most likely scenarios that your business could face (and a few unlikely ones) can not only shave precious time off of the response to a disaster like a ransomware incident or a data breach, but it can also be helpful as you seek to mitigate other unexpected disasters. It’s also a key player in developing cyber resilience. The IBM/Ponemon Cyber Resilient Organization Report noted that companies with formal security response plans applied across the business were less likely to experience significant disruption as the result of a cyberattack. Over the past two years, only 39% of these companies experienced a disruptive security incident, compared to 62% of those with less formal plans.

The creation of incident response plans at organizations is growing, The study noticed a 44% improvement in the number of organizations that are making and keeping incident response plans, but still, only 26% had formal incident response playbooks on hand – and even among those forward-thinking companies, only 17% of them had incident response plans for specific scenarios, detailing the differences in approach and mitigation in something like a ransomware attack or credential stuffing incident. When specific scenario plans do exist, the most common playbooks are for DDoS attacks (64%) and malware (57%), and only 45% had designated plans for ransomware attacks.

Use The Incident Response Lifecycle as a Blueprint

Making an incident response plan isn’t as complex as you may think. While there are several popular guides for incident response plans, the most fundamental industry-standard plan uses the framework developed by the National Institute of Standards in Technology (NIST). 

The NIST Incident Response Lifecycle contains four steps: 

• Preparation
• Detection and Analysis
• Containment, Eradication, and Recovery
• Post-Incident Activity 

Understanding and adequately accomplishing each step is vital to creating an efficient incident response plan. You can see the agency’s breakdown in the basic NIST Incident Response Planning Guide. 

PREPARATION

This may be the hardest step because it’s easy to rush through it. The Dale Carnegie maxim “An hour of planning can save you 10 hours of doing” explains exactly why you shouldn’t rush through this step: it’s the step that can save your business in the end. By choosing the right team members and making sure that they have the right training, you can facilitate a strong, fast incident response that minimizes damage.

Create a team:

If something like ransomware infects your systems, who gets the first call? Whom do they call? Who has access to the things that are needed to triage the problem? Who needs to be informed? 

In an emergency, you need to be able to answer these questions quickly and definitively. That’s why every business should start its incident response planning by establishing an incident response team, and setting the hierarchy, responsibilities, and capabilities of that team in stone – in an emergency, you don’t have time to waste on deciding who does what.

Establish a protocol:

How exactly will everyone be informed and get their instructions on how to handle the incident – and who is empowered to make hard decisions?

The framework of your plan can use any criteria you choose and be customized for your business. The most important part of this step is to establish the parameters of your planning framework, then use that framework to create your response plan for every incident. Consistency in format and layout for each plan will make it easy for your incident response team to follow it during a disaster, enabling them to stay focused on the next two steps.

Ensure that you have accurate intelligence:

Have solutions/services in place that will give you regular, easy-to-read reports detailing dark web credential compromise threats, access and hacking activity, and phishing and email activity to keep a weather eye on what might be headed your way. Today’s smart solutions often gather and analyze their won threat intelligence without your IT teams lifting a finger.

DETECTION AND ANALYSIS

Don’t ever sleep on detection. An unfortunate side effect of today’s IT security alert overload is the huge portion of IT staffers that just ignore alerts. More than 45% of respondents said that they regularly turn off high volume alerting features because they’re overwhelming. Almost half of the participants said that they personally investigate 10 – 20 alerts each day, a 12% increase from 2019. Another 25% of respondents said they investigate 21 to 40 alerts each day, up from 14% the year prior, and 66% of survey takers reported seeing a significant increase in alerts since March of 2020

The first step to fixing the problem of overwhelming alerts is to determine which are essential and stop the rest. Another key component of reducing the volume of alerts that a team gets is to make use of today’s smart security automation. Knowing where the problem started(and mitigating the damage) is key to figure out the problem. To continue with the ransomware scenario, this is the step where your experts get a SITREP and find the cause, extent, and location of the damage. 

CONTAINMENT, ERADICATION, AND RECOVERY

Containment:

Has the ransomware spread? Can you put the brakes on it and prevent it from going anywhere else? What systems and data did the affected computer have access to? Can this incident be handled remotely? 

Have tools in place that enable your IT staff and incident response team to quickly add and remove access remotely. Otherwise, this is where your detective work and forensics from step one inform your decisions. 

Eradication:

Can you remove the ransomware? Can you restore your data and systems from backup? What are the top priorities for preservation? If something has to be sacrificed, what’s first in line? What will you do if you can’t?

This is the step where your team decides what the most expedient and effective way of eliminating the problem is for your business. Every business had unique needs and capabilities, so this step may vary dependent on the systems and data affected. You may want to include multiple options that account for each variable that affects the choices that your team makes here. 

Recovery:

Where are the backups? Who has access to the systems and software that you need to get back to work? How do you fix the damage?

In our ransomware example, this step is where you’d restore your data from backups, reboot machines, or add new ones and reinstall any necessary software. If you aren’t backing up your data, you won’t have the option of restoring it here. More than 60% of businesses lose unrecoverable data in a damaging cybersecurity incident. Be smart and take steps to back up all of your business essentials immediately.

POST-INCIDENT ACTIVITY

Start with a few basic questions to gauge how your incident response plan performed during the attack and see what you can do to have a more efficient response next time. What went right with your incident response plan? Was this part of a larger third-party-related cybercrime incident? What went wrong with your incident response plan? How can your team improve their performance next time? Were there resources that you needed but didn’t have? Don’t wait to inform officials, you might incur fines. Find out immediately if there’s an obligation to report or disclose and act accordingly. Is there a report to be filed with the government or industry officials?

After the incident ends and you’ve started getting back to normal, it pays to immediately analyze your incident response plan and your team’s performance. Thoroughly review the detailed threat and incident reports that are available to you through your security solutions and/or from your Managed Services Provider. Finding weaknesses in the plan will help you create a more efficient plan for next time – because there will be a next time, so refining your plan matters.

Then, spend some time determining what you can do to reduce the chance of this being a problem for your business in the future. In our scenario, a staffer unleashed a ransomware nightmare because they were fooled into interacting with a phishing email, but it could just as easily be a staffer with malicious intent or hackers that strike. How can you prevent that from happening again? What does your staff need to stave off other cyberattacks?

If you said training, you’re right. Not only do you need to make a plan, you need to practice it. Your staffers also need to be receiving regular security awareness and phishing resistance training. Organizations that send everyone (regardless of rank) through phishing resistance training at least once per quarter have up to 70% fewer cybersecurity incidents.

Now take this information and put it to work for your business. Not sure how to start or need additional guidance? Contact an expert at you local Managed IT Services Provider (MSP) today to get started.