How an incident response plan makes all the difference during a cybersecurity event
Over the past few years, we've seen a considerable increase in cybersecurity events, particularly those involving ransomware. Cybersecurity incidents are not just about what technically happened or what technology or tools were involved. It's about how a business is impacted and the very real, very emotional toll that it can take. Whether it's reputational damage with clients, plunging morale with your team, or financial hardships due to the cost of a breach, there's more to a security event than meets the eye.
As cybersecurity professionals, our goal is to keep cybersecurity incidents from happening in the first place. Unfortunately, that's not always how things happen, and we are often called to assist after something has happened. So, one of the best things you can do for your organization to prevent widespread damage is to create an incident response plan based on common occurrences during an event. A reliable incident response plan helps you be prepared to take action quickly and recover faster.
A look inside a cybersecurity event
Despite the pandemic, Business XYZ had a wonderful year. They acquired new business, hit their sales targets, made good profits, and were on track to meet their growth and expansion goals. Everything seemed to be moving in the right direction.
One Saturday morning, several support tickets came into the help desk. Multiple users were suddenly unable to access documents. The general concern was minimal. The internal IT department dismissed the reports as typical user errors, assuming customers were having normal problems accessing the network. As the day went on, more and more reports came in, and the issue was escalated to IT/management. That's when IT logged into the server and found a ransom note demanding bitcoin.
"Not only has all of your data been encrypted, but it's also been exfiltrated. Your data, including SSN, CC, and other sensitive PII will be leaked if you don't pay within 7 days".
What happens now?
Although a hypothetical scenario, the reality of it is all too real. As a business owner or an executive team, you're rushed with thoughts and emotions. Your network is down. Your employees can't work. And you also start to wonder: Will your employees lose trust in the leadership of your business? Will your customers be impacted? Will they take their business elsewhere? Will you be sued?
As fear and stress set in, your organization has immediate decisions to make before the clock runs out and the encrypted data is lost or leaked to the public. These decisions could have severe and lasting impacts, and you're forced to make them in a rush. Do you immediately notify your employees? If not now, when? Should you notify your banks? If not, when? Do you immediately notify clients that may have been impacted?
If you have the slightest hesitation or need to about it, you aren't prepared enough.
If you don't have an incident response plan…
Most organizations don't have a solid incident response plan that gets tested regularly. Because of this, organizations often make poor decisions due to pressure and time constraints.
Here are a few examples of companies acting with the best intentions but suffered disastrous results:
- Contacting customers before even confirming if the business was truly compromised and if the data had been successfully exfiltrated.
- Immediately trying to restore impacted systems, wiping away important evidence in the process.
- Reaching out directly to the threat actors during a ransomware event. This starts the payment/leak countdown timer, compounding the pressure and forcing them to act even more quickly.
- Choosing not to act, investigate, and/or report the incident at all. This may lead to serious legal and compliance-related fines.
In many ways, a company improperly responding to a cybersecurity incident could lead to more devastating impacts than the incident itself.
Have a tested incident response plan in place
Any security incident can cause extreme stress and anxiety levels, but a well-defined incident response plan can make all the difference. Planning is only part of the necessary preparations; you'll also need to test your incident response plan. Anyone responsible for taking action during a cybersecurity event, whether engaging a cybersecurity partner, working with internal IT, or handling cybersecurity insurance, each person should know what they need to do and how to do it. Whether you choose to do situational role-playing, review the process as a team, or distribute it for discussion, everyone needs to be aware of the process and run through it beforehand.
A great real-life example of this in action is first responders. They spend so much time practicing, preparing, and doing drills that when a true emergency happens, they're ready. Their ability to act during a crisis can be a matter of life and death. Although they may face anxiety, their training becomes muscle memory, and they can perform their job successfully.
Don't forget to include legal in all aspects of your incident response (IR) plan. This includes:
- Building and testing the IR plan
- When an incident occurs (and knowing what type of incidents to involve legal)
- Post-incident activities, including reporting and notification requirements
Legal's job is to protect the business, its employees, and its customers, and they will want to make sure that any incident response plan supports that.
As with anything cybersecurity-related, this isn't something you can do once and never look at again. Incident response plans should be updated and tested regularly to ensure they still make sense for the business operations and the business in general. Employees and leadership should be briefed and given the appropriate access to the process before any incident.
The ideal time to learn how to respond isn't during a cybersecurity incident—it's before one happens.
A security incident can test any business and its leadership team, but you don’t have to bend under the pressure of threat actors. Instead, follow these guidelines:
- Prepare and implement proven processes and frameworks, so they're ready when you need them
- Test your processes and plans thoroughly to ensure your team knows what to do if there's an incident
- Rely on the guidance of your cybersecurity partners, IT vendors, legal counsel, and cybersecurity insurance providers to help you through a cybersecurity incident
Being prepared through having an incident response plan in place can keep you from making costly, rushed decisions that have far-reaching impacts on your business.