Cybersecurity data breaches have almost become a way of life. We hear about businesses impacted by security incidents and data breaches every day. As the adage goes, it’s not “IF”, but rather “WHEN” a security incident will take place at your business.
It is therefore a best practice for every business to create an incident response plan. An incident response plan delivers two cybersecurity benefits to your business:
A breach of your information is always stressful. Don’t compound that stress by not having a plan to address a successful cyberattack.
Before creating an incident response plan, you must create an incident response policy.
The National Institute of Standards and Technology (NIST) recommends in its Computer Security Incident Handling Guide that an organization should create a policy before building an incident response program.
This policy:
Develop your policy to include all applicable regulations and laws under which your business operates. Compliance requirements such as those associated with HIPAA and HITECH, Gramm-Leach-Bliley Act, and Sarbanes-Oxley (SOX) will drive your policy requirements.
Once the policy has been created, NIST outlines four broad phases an incident response plan should include.
NIST identifies four phases in an incident response lifecycle:
Each of the four phases includes a number of actions. Here’s an outline of what you can include in your organization’s incident response plan.
“Prevention” in the context of incident response is essentially your information security strategy and the software tools used to implement your strategy. It is your layered defense against cybercriminals -- firewalls, encryption, antivirus software, data backup, user training, etc.
Part of being prepared is having a complete list of your information security tools (including any portions of your IT infrastructure managed by a third-party managed service provider).
Effective response is based on communication. Smartphones are an excellent way to communicate with and coordinate team members while responding to an incident. It may be a good idea to have some of the information below as hard copy or on devices not connected to an organization’s network (it will be difficult to coordinate a response if, for example, you are victimized by a ransomware attack and cannot access your plan):
Attacks can come from anywhere and take many forms - a denial of service attack, ransomware, email phishing, lost or stolen equipment (such as a laptop, smartphone, or authentication token), etc.
Once an incident is positively identified, follow defined processes to document the response (which can be helpful in showing a good faith effort to limit the impact of the breach on customer data should you end up in litigation or are investigated as the result of a breach).
Identify your affected networks, systems, and/or applications and determine the scope of the incident. From there, the response team can prioritize next steps from containment to further analysis of the incident. Recommendations for making analysis more effective include:
These techniques should be used in conjunction with one another. Relying on a single method will be ineffective.
Document incidents as they are found. A logbook is one way to do so as are laptops, audio recordings, or a digital camera.
Those affected by the incident need to be notified as well. For an incident that affects customers, a message on your website, email notification, or other communication will be needed. Often, breach notification procedures are driven by laws applicable to your industry, your state or your country, or a combination of these.
Develop containment strategies for different incident types as containment for malware entering your network from an email will be different than for a network-based denial-of-service attack.
Document your strategies for incident containment so you can decide the appropriate strategy for the incident (e.g., shut down a system, disconnect it from the network, disable certain functions).
Once an incident is contained and all affected elements of the IT infrastructure have been identified the eradication and recovery process begins. For larger systems, this could take months to move from high-priority to lower priority systems. Systems may be able to be restored from backup or may need to be rebuilt from scratch. As eradication and recovery proceed, steps can also be taken to tighten security measures.
Information security is an ongoing, iterative process. A key part of any incident response should be to learn from it:
Apply what you learn to improve your cybersecurity defenses and response to the next incident.
Test your plan once per year. EIther working with an independent third-party or internally, create a scenario and walk your team through it. This not only allows team members to understand their roles, but will also help you identify gaps or weaknesses in your plan.
Research from IBM and the Ponemon Institute reveals that if you do have a plan, you are ahead of the crowd as 77% of organizations reported not having a formal cybersecurity incident response plan.
The cost of a data breach continues to rise (in 2018 the cost of a data breach was $3.86 million; in 2019 the total cost rose to $3.92 million).
Be different from the crowd. Develop and follow an incident response plan.