If you do one thing this month… write an effective Cyber Incident Response Plan
Scrolling through the monthly cyber-news headlines, there’ll almost always be a story about the latest data breach or cyber-attack that’s hit the UK business landscape – this much is true.
Yet, while SMEs strive to be securely defended against troublesome cyber-threats, there are always some which slip – or almost infiltrate – the net.
In fact, it’s been reported that 70% of organisations don’t have a Cyber Incident Response Plan (CIRP) in place. However, to successfully safeguard your organisation against unwanted cyber-criminals, it’s as much about the physical measures you put in place as it is the strategy you have to deal with – and reflect upon – any unwanted access attempts.
That’s why, this month, if you dedicate your time to anything IT-related, it should be drafting and utilising a CIRP that really works for your company.
What is it and why do I need one?
Before we go any further, let’s address the elephant in the room. What exactly is a cyber-incident and a CIRP, and what’s the benefit of the latter?
First and foremost, the word ‘incident’ is one which conveys negativity, and when coupled with the term ‘cyber incident,’ it’s enough to offset the panic button in any business owner’s mind. But, before you embark on that one-way trip to a major meltdown, it’s time to make a plan!
The National Cyber Security Centre describes a cyber incident as:
“A breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”
So really, a CIRP is a document which outlines a consistent approach that businesses should take when faced with these ‘incidents’ – such as hacking attempts and malware infections. This systematic way of handling such an issue allows firms to identify it, analyse how it happened and take effective measures to avoid a repeat performance.
As a result, the CIRP is a very ‘moveable’ document, meaning the more you learn from these occurrences, the more robust and reliable your plan will become. In turn, this will make your business model stronger and your data increasingly protected from pesky online threats.
Step one – Preparation and prevention
Before you start contingency planning, you need to know what aspects of your IT infrastructure and assets require defending. You need to be aware of every area a cyber-criminal could be interested in compromising – and also the impact this would have on your organisation were it to be successful.
As well as knowing what data and assets you need to protect, this phase should pinpoint your potential data vulnerabilities and the possible threats surrounding them. These should be ranked and categorised by severity and overall urgency, so that you can clearly see how quickly each hazard needs to be handled and by whom.
This risk audit process should not be bypassed, as it provides you with the crucial foundation on which to build a successful security response structure.
It also goes without saying that your staff should be well briefed and educated in the areas they’re assigned to – electing a dedicated Incident Response Team can help to keep this clear-cut. Confirming that everyone knows their role and duties in the event on a suspected attack is paramount in helping to ensure no one’s immediate reaction is flight instead of fight.
Step two – Identification and analysis
If there’s an attempt to intercept your company’s data, you need to know about it. This element is all about knowing whether it’s a data breach or a security incident – and there are differences!
Once it’s been flagged as either of the above, evidence needs to be gathered and documented. Your elected Incident Response Team needs to categorise the incident – or breach – and begin looking at the ‘who, what, where, when, why and how.’
Step three – Containment
While it can be all too tempting to delete everything on your system, in the hope the incident will go away, this isn’t the best – and certainly not a remedial – approach. Its origin needs to be identified and controlled.
Again, this one is dependent on the type and scale of the threat at hand, so it could span numerous actions, such as network disablement, device disconnection, password revision or data back-ups.
Taking such actions helps to isolate the problem’s source and avoid the issue penetrating further into the network or system, and causing more damage.
Step four – Eradication and recovery
Once the threat’s under control, it’s time to look at getting rid of the problem, as well as backing-up and recovering systems to a version prior to the incident.
The eradication process can be completed by in-house or outsourced IT teams, but either way, it’s crucial that all relevant malware is removed, and all security scans, updates and measures are implemented.
After all steps have been completed, the recovery phase is essentially getting your operations back to business as usual. It goes without saying it’s vital this step is carried out with caution and attention to detail because the last thing SMEs want is another breach or access attempt taking place.
Step five – Notification
Depending on the nature of the attack, it’s vital that relevant notification procedures are followed. This could be informing senior management, the CIO, PR teams, customers, or third-party security providers about what’s happened, so that measures can be put in place to rectify and address the situation.
In light of the new GDPR legislation, it’s important to know that if any personal data has been breached, where possible, you should inform regulators within 72 hours of becoming aware of it occurring.
Step six – Reflection and reformation
When the issue has been rectified and protection is up-to-date, now’s the time to review the whole thing – and remember, the sooner this is actioned, the fresher it will be in everyone’s minds.
Analysing and discussing learnings from the incident is pivotal for strengthening your CIRP and consequently your systems too. This gives staff members the opportunity to discuss what worked well in the plan and also raise any concerns around what didn’t.
Taking the time to evaluate allows you to identify any gaps in security – as well as employee training – and will help ensure that if another incident takes place, the response will be better than the previous one.
It’s also imperative that any findings are then communicated to the wider workforce, so that everyone is on the same – informed – page.
If you’d like some advice on how to safeguard your systems from cyber-incidents – or you’d like to find out more about CIRPs – please contact our friendly team!
