Creating A Cyber Incident Response Policy

For any type of Cyber security disaster, does your company have an incident response plan for a data breach? 
 
Incident response is an organised approach to addressing and managing the aftermath of a security breach or cyberattack. One of the best ways to gain some peace of mind when it comes to data breaches is to create and regularly test an incident response plan (IRP). Creating an IRP does not have to be a lengthy, intimidating process. 
 
In fact, according to the National Institute of Standards and Technology (NIST), an IRP simply provides the instructions and procedures an organisation can use to identify and respond to the effects of cyberattack. If your organisation is proactive, and in compliance with the growing number of data privacy laws, you should have a policy in place for that worst-case scenario of your files being compromised by a bad actor.
 
Do you also have plans in place if your business suffers another type of cyber incident?
 
What would you do if your e-commerce website was hit with a distributed denial-of-service (DDoS).  This type of attack can take you offline for hours. And if an employee clicked on a phishing email that spread malware throughout the system is disruptive and can be disastrous. Do you have someone monitoring your social media sites, which represent the identity of your company?
 
In her talk to an MPower 2019 audience, Allison Cerra, senior vice president and chief marketing officer of McAfee, said her worst day came one Easter Sunday when she was alerted that one of the company’s social media sites was defaced. The logo was turned into an obscene graphic. The description and other posts were replaced with vile commentary. The company faced a serious cybersecurity crisis without their network or corporate data ever being impacted. Cerra said that, the company wasn’t ready for it.
 
Even though the company took positive steps to address the cyber incident, they kept leadership involved, they had an employee deleting unnecessary administrative access, they realised there were definite mistakes made along the way and during the cleanup phase. The biggest mistake, Cerra said, was that there was no real process in place to handle the attack.
Cybersecurity Conversation
 
Putting an incident response plan in place begins with a conversation.
 
“We can’t have a conversation about security if we don’t start one,” Cerra told the audience. Everyone in the company should be included in that conversation, she added, because cybersecurity is a team sport. Everyone within the organisation has a role, and everyone needs to know what their role is. Its the same thing with different departments within the organisation. Each department has its unique security needs, and its unique duty when it comes to addressing a cyber incident and managing the response.
 
Nor is the conversation a one-and-done speech by the CEO or chief information security officer (CISO). As Cerra noted, “Successful companies communicate early and often.” They hold regular drills to be prepared for the response, because there will be a need to have a response. These conversations need to be holistic.
 
Cyber incidents are more than data breaches and stolen data. They are more than someone infiltrating your network. In McAfee’s case, it was a third-party site, where someone else had controls over security. That complicated McAfee’s ability to respond, too, which is why an incident response plan should include regular audits of 3rd parties. How do they handle cybersecurity incidents on their end? What steps do they require from their partners to mitigate an incident? Who do you talk to if there is an incident involving your reputation and data on their end?
 
Employee’s Responsibility
Response teams are often made up of a select few representatives, usually management and C-level, from different departments. The rest of the organisation is often kept in the dark about cybersecurity response and overall cyber hygiene. That’s because the cybersecurity team is often invisible to the rest of the workforce, until, of course, something bad happens.
Any employee who uses a computer to access the network, whether on premises or remotely, whether on a company-owned device or a personal one, must step up to the plate when it comes to cyber security. 
 
They need to be included in the cybersecurity conversation on a regular basis, but they should also own their own cybersecurity role within the organisation. “Employees are equally responsible in ensuring those patches to laptops, mobile devices and other personal technologies remain current,” Cerra said.
 
It should go beyond patching, too. There are a lot of little things that employees should know and practice. Recognising phishing emails and not opening suspicious links and attachments is something that all employees have (or should have) stressed to them over and over, but what else are your security and response teams doing to make employees part of the cybersecurity solution?
 
One such solution is ensuring employees know how to respond if there is a cyber incident. For instance, the default for many of us when we hear of a data breach is to automatically change passwords.  But when should passwords be changed? In many cases, changing a site’s administrative password should be step one because as soon as an attacker realise they have been discovered, they can also change the password, locking the actual security team out completely.  In other cases, the password should be changed after the incident is mitigated, changing passwords before a vulnerability is patched gives hackers the chance to go in and steal the new ones. In other instances, HR and IT should know to immediately rescind permissions and access when employees leave or shift job responsibilities.
 
Types of security incidents
There are various types of security incidents and ways to classify them. What may be considered an incident for one organization might not be as critical for another.
 
The following are a few examples of common incidents that can have a negative impact on businesses:
 
A distributed denial of service (DDoS) attack against critical cloud services.
• A malware or ransomware infection that has encrypted critical business files across the corporate network.
• A successful phishing attempt that has led to the exposure of personally-identifiable information (PII) of customers.
• An unencrypted laptop known to have sensitive customer records that has gone missing.
 
Security incidents that would typically warrant the execution of formal incident response procedures are considered both urgent and important. That is, they are urgent in nature and must be dealt with immediately and they impact important systems, information or areas of the business.
 
The bottom line is that when a cyber incident hits a company, everyone is impacted in some way, from the CEO and board of directors to the receptionist at the front desk. Your organisation needs a current cyberattack and response plan.
 
If you need help with this process, please Contact Cyber Security Intelligence for advice. 
 
SANS / Kroll:              TechTarget:             Security Intelligence:       
:
You Might Also Read:
 
Top 5 Rules For Laying Out An Employee Cybersecurity Policy:
 

 

 

« Beware Phishing Emails
Darktrace Wins Lloyds Award »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clearpath Solutions Group

Clearpath Solutions Group

Clearpath Solutions Group expertise covers virtualization and data storage technologies, networking, security and cloud computing.

CORDIS

CORDIS

CORDIS is the European Commission's primary public repository and portal to disseminate information on all EU-funded research projects and their results.

BMC Software

BMC Software

BMC provide solutions for IT service management, Cloud management, IT workload automation, IT operations, and mainframe system management.

BruCERT

BruCERT

BruCERT is the referral agency for dealing with computer-related and internet-related security incidents in Brunei Darussalam.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

Dark Cubed

Dark Cubed

Dark Cubed is an easy-to-use cyber security software as a service (SaaS) platform that deploys instantly and delivers enterprise-grade threat identification and protection at a fraction of the cost.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

CoverWallet

CoverWallet

CoverWallet combines deep analytics, thoughtful design and state of the art technology to help small businesses with all their insurance needs including Cyber Liability.

HB-Technologies

HB-Technologies

HB-Technologies is pioneer in Africa, in digital security, embedded electronic and IT solutions based on highly secure smart cards that comply with international standards and norms.

OSIbeyond

OSIbeyond

OSIbeyond provides comprehensive Managed IT Services to organizations in the Washington D.C., MD, and VA area including IT Help Desk Support, Cloud Solutions, Cybersecurity, and Technology Strategy.

Conseal Security

Conseal Security

Mobile app security testing done well. Conseal Security are specialists in mobile app penetration testing. Our expert-led security analysis quickly finds security vulnerabilities in your apps.

Cufflink

Cufflink

Cufflink makes your business more secure, compliant and trusted. We limit the likelihood and impact of a data breach by controlling exactly what can and can't be done with personal data.

FoxPointe Solutions

FoxPointe Solutions

FoxPointe Solutions is a full-service cyber risk management and compliance firm.

Simbian

Simbian

Simbian, with its hardened TrustedLLM system, is the first to accelerate security by empowering every member of a security team from the C-Suite to frontline practitioners.

BlazeGuard

BlazeGuard

At BlazeGuard, we understand that navigating the complex world of cybersecurity can be challenging. That’s why we make it our mission to simplify the process for you.