Alex Bransome, vCISO at Doherty Associates helps small businesses understand how to create a cybersecurity incident accident plan, and explains best practice.
Cyber threats continue to harm UK business on a daily basis, and in particular SME’s, with small firms subject to almost 10,000 cyber-attacks daily, costing £2.5 billon. An attack to the business can cause major harm, both financially and reputationally. We only need to look at the fallout from the Travelex Ransomware attack.
In the wake of the Travelex attack, Alex Bransome, Chief Information Security Officer at Doherty Associates, discusses why having an incident response plan is arguably one of the most important processes for any organisation to have in place.
An incident response plan is a documented set of instructions to help IT professionals detect, respond to, and recover from a cybersecurity incident such as a cyber-attack or data breach. For when disaster strikes, working it all out on the fly, in the middle of a service impacting event is not a good place to be. A clear response procedure must be defined that is regularly reviewed and most importantly, practiced.
A joined up approach
Incident response procedures work best when they are designed with support from multiple areas of the business. A joined up approach is key to responding to incidents effectively, and responsibilities do not all rest with the IT and security teams.
Depending on the nature of the incident, public relations, human resources and the legal department all have a significant part to play. This is especially true when it comes to breach reporting as failures here can take an incident from bad to worse. Therefore, it’s critical that organisations understand and incorporate their specific legal, regulatory and compliance obligations during and after an incident.
Splitting incident response into multiple subsections is an effective way to bring end-to-end structure to a chaotic incident. Common steps include, detection, investigation, containment, recovery and post incident tasks, often being based around NIST’s Computer Security Incident Handling Guide (SP 800-61). This is a great resource that organisations can leverage when developing their own processes.
Detect and contain
Detection and containment are two of the most decisive phases of any incident. Being able to detect an incident early in its lifecycle should significantly reduce the impact on the organisation. There is a substantial rise in organisations outsourcing security functions to dedicated expert security teams who monitor your environment 24/7, 365 days a year. Obviously, technology plays a significant part in detecting and alerting us to threats, however in addition to this, ensuring that all staff know what constitutes an incident and how they can report it is just as important.
During an incident, every minute counts because every minute costs! We have seen many recent examples of the speed at which malware can spread. CrowdStrike’s Annual Threat Report this year revealed the breakout time of nation-states and advance eCrime groups. This is the time between the first compromised machine in a network, to when the adversary is able to move laterally to other machines. Incredibly, these times ranged from the slowest at nine hours to the fastest being 18 minutes. For these reasons, organisations must have the right tools in place that can contain an incident from spreading. Endpoint Detection and Response (EDR) solutions provide that capability, enabling responders to quickly isolate compromised endpoints and regain control.
Prepare and practice cybersecurity drills
Well documented procedures and the right technology is only effective if the people performing the response are competently able to do so. Incident response must be practiced periodically. These exercises help build everyone’s confidence around dealing with an incident, in the same way we practice fire alarm drills. It also highlights any gaps in the process, so they can be fixed before a real event.
Regularly practising responses will help the team to be more adept, agile and confident on what to do if and when an incident occurs. While it also enables the team to be in regular communication with the external MSP or IT provider and have an established protocol on the steps needed to take.
These do not have to be large scale, time consuming, disruptive tests either. Simple tabletop exercises can be just as effective in getting everyone onboard. For organisations new to incident response readiness testing, I would recommend ‘Exercise in a Box’ from the National Cyber Security Centre (NCSC), which walks organisations through a cyber incident scenario and is a live tool which will keep evolving, based on user feedback, to ensure it stays current, relevant, and engaging.
No business wants to go through a cyber-attack, but it is very likely that it will happen, as attackers become ever more sophisticated in their targeting of SME’s. By having a robust and regularly practised incident response plan in place will help your business be prepared with effective incident management and technical response capability for when the threats come knocking.