We have come to a time when vendors and industry professionals will tell you that it is almost guaranteed that you will have a security incident. So much so that the message is not if you will be attacked but when. This kind of messaging probably feel like a scare tactic, but the sad truth is that it is a reality. Data breaches are on the rise, and with the increase of ransomware and cryptomining affecting business, the outlook isn’t promising.
So why not be prepared?
Building a Response Plan
An incident response plan is the foundation to work from when that inevitable happens. It should be focused around the business and not just IT and security. Working with the stakeholders in your business should help you understand which data and systems are critical and which ones are not. For example, if your company is hit with Cryptolocker malware and it affects multiple departments, cleaning up and restoring files for your order entry system will most likely will be a priority compared to an internal documentation share. Having this clearly stated will put everyone on the same page and let the team respond accurately and focus on one issue at a time without having to address outside pressures.
When you are building your response plan, it is also a chance for you to evaluate your internal capabilities. Most organizations will have people that have experience and skills to handle a lot of different situations that can arise, but do they know when they need to reach out to law enforcement, or who they can call to assist when something happens that is outside of their ability to handle? This activity will help you build a list of contacts from vendors or partners that your organization can use when needing to go outside for help.
The Importance of Communication
Communication is key when issues arise during an incident response. You should define a communication plan that is appropriate for the situation. Identify those parties responsible for helping to resolve the issue, but also include others that need to be notified and kept current of what is happening.
Also, thinking about when you need to communicate outside of your organization, work with your legal team to determine when the authorities need to be notified and identify the proper communication channels to follow for that notification. Do you know who to contact if you find your FTP server has been hacked and is being used to host and share illegal content?
Make Your Response Flexible
Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” Does that mean you shouldn’t plan? Of course not — the incident response plan should have enough detail built in to cover the most frequent types yet be flexible enough to establish appropriate responses to different types of incidents. Creating categories and establishing high-level activities for the most dynamic and evolving threats is one way to prevent your plan from going off the rails when some new problem arises.
A common planning mistake is that it will be put together and tested once, or not at all. It is crucial that the plan be kept current and regularly tested. Attacks, systems and personnel are always changing, and by running through tabletop exercises, red team/blue team activities and other scenarios, your response plan should be constantly evolving and improving to stay current.
Incident response remains a challenge for many organizations. Hopefully, putting together a plan and working to keep it current will help your organization respond more efficiently and faster when issues arise. There are a lot of resources out there to guide the development of an incident response plan. CDW can connect you with resources if you need help with incident response planning or as a partner to assist if you are experiencing an incident — start by reaching out to your account manager.