Risk managers are waking up to the realisation that cyber attacks are inevitable, Mark Lamb, CEO of HighGround.io, explains how to prepare
Recent estimates reveal that cybercrime is now the third-largest economy in the world.
The reason it has gained this stature all comes down to the ease at which criminals can launch attacks, netting them millions of dollars with a few clicks of a button.
When it comes to cybercrime today, there is no immunity. All businesses, governments and institutions are fair game and, as their reliance on digital increases, so too does their vulnerability to attack.
As a result of this, most organisations have moved from a position of hoping attacks won’t happen, to knowing they eventually will, and therefore realising their response is just as critical as the defences they deploy to keep attackers out of their networks.
”When it comes to cybercrime today, there is no immunity.”
This means when organisations and risk managers are building out their cybersecurity programs, they realise they can’t just focus on building secure walls around their data, but they also must put in place plans for when attacks inevitably do happen.
Incident response is a vital part of this, and it focuses on the steps organisations must take to minimise the damage of a successful breach of their assets.
So, what must incident response plans include to ensure that organisations can navigate attacks swiftly, with minimal disruptions?
What makes up an incident response plan?
The first hour of a cyberattack is known as the golden hour. This is the time when organisations must act fast in trying to understand the scope of the incident and work to prevent it from causing lasting damage.
How organisations respond in the ‘golden hour’ often determines just how severe the impact of the incident will be on their operations.
A key focus in an incident response plan must therefore be around the golden hour and providing staff with all the information needed to allow them to step into action right away.
Incident response teams need to understand who to contact in the event of an incident, what role each employee will play in responding to the situation, when law enforcement, insurers, partners and regulatory bodies need to be informed, how will the organisation respond to an incident, as well as pre-prepared media statements that can be issued to the press.
Key preparations risk managers should make now
- The incident response team: Which employees make up the incident response team and what are their contact details?
The incident response plan must name every member of the team, with their contact details so they can be alerted at any time of day.
It is also sometimes easier to have a pre-set WhatsApp group of the incident response team, so everyone can be contacted and communicate with each other quickly and easily.
- Roles and responsibilities: What is the role of each team member?
Make sure everyone has clearly defined responsibilities to conduct in the wake of an incident so there is no scrambling about. Time is of the essence and team members need to step into action immediately.
To get this correct, it is advised to run regular tabletop exercises ahead of events occurring so employees can rehearse their roles.
- Law enforcement, insurers, partners and regulators
Not all incidents will require the above groups to be notified, but the incident response plan should lay out when each party needs to be informed and who to contact at the different organisations.
- How will the organisation respond to an incident?
Unfortunately, the incident response plan isn’t a crystal ball, so it will never know exactly what type of attack could occur, but it is worthwhile having some pre-prepared responses to potential situations.
For instance, in a ransomware attack, at what point would the organisation decide to pay the ransom? To work this out it is often worthwhile having the cost of downtime per hour, so teams can quickly identify when this surpasses the ransom demand.
- Media statements
It is vital to have media statements prepared that can be issued to the press when attacks occur.
These should ideally be three template holding statements that can be edited according to the situation.
The first statement should inform that the company is investigating an incident, the second should announce the organisation is working to resolve the incident, and the final statement should announce the incident has been resolved.
More details on incidents can be shared in blog posts and specially designed FAQ sections on organisations’ websites.
Incident response planning is vital today because attacks will inevitably happen.
For some organisations, incident response can seem like a mammoth task, but utilising free tools and following the steps above, will provide significant help in allowing risk managers to navigate incidents effectively and quickly, with minimal disruptions to business.