"A cyber-security incident is not just an IT problem.
It is a business productivity problem, a legal problem, a public relations problem, AND an IT problem.” There is overwhelming evidence today that organizations of all sizes are continuously faced with cyber-attacks. Developing a strong defensive security posture, training workers about the threats and how to respond, and planning how to act when something bad happens are essential to reducing your risk and associated losses from a cyber-attack.
In this article, which is the conclusion of a four-part series on Practical Cyber Security for Small Business, we’ll explore the language and practical application of Cybersecurity Incident Response Planning. Let’s start with defining key terms, explore why we need to properly prepare, then provide resources and guidance to get you started.
Incident, Unauthorized Access, Data Breach
A cybersecurity “Incident” can be anything from a policy violation such as a worker reporting that a co-worker left a sensitive document or password in plain view, to an alert indicating unusual sign-in activity on an email account, to an alert from an anti-virus program that something unusual occurred, to a report from a worker that they received a non-delivery report for an email that they never sent. An “Incident” doesn’t necessarily mean something bad happened. Incidents occur daily in most organizations, regardless if you are paying attention or not. Incidents require a trained individual to investigate the validity and severity of the incident, then determine what, if any, further action is needed. “Unauthorized Access” is a finding or determination that someone without authorization may have gained access to a physical location, an email account, or sensitive files (electronic or paper). In the physical realm for example, if a file cabinet containing payroll records is found unlocked, we may reach a conclusion that an unauthorized person had access to those files, but we have no verifiable evidence of who or when, or if they copied or stole any of the information. A “Data Breach” is a finding that “sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.” A data breach is determined when there is verifiable evidence that malicious activity has occurred. In cyberspace, verifiable evidence is often elusive. Because expert attackers are also experts at hiding their tracks, it often takes substantial effort to put enough pieces together to conclude that a breach has occurred.
Why Preparation is so Important
The major focus of cybersecurity professionals is to reduce the likelihood of a breach in the first place. However, we’ve learned over time that highly skilled and highly motivated cyber criminals often find ways to compromise our fragile data systems, despite our best efforts. That’s why it’s critical to develop a comprehensive Incident Response Plan (IRP) before an incident occurs. When something bad happens and emotions are running high, a Response Plan helps you and your team respond with discipline and effectiveness. The plan should define roles and identify the internal employees and vendor partners who will execute specific procedures to determine the scope of the threat, contain it, and begin to recover from it. Beyond the technology steps, your plan should include crisis management and communication procedures such as who is authorized to speak on behalf of the organization, what they will say, and when they will say it. Additionally, the Response Plan should contain procedures for notifying legal counsel and your insurance company, both of whom will have experts to help guide the post-breach process. Tapping into these experts during the planning process will certainly provide value during a crisis. Another advantage of proper preparation is that you’ll achieve clarity of who is doing what, and alignment between everyone involved. In a recent report, IBM Security estimates that on average, an organization will save 10% of the total cost of a breach if they have an Incident Response Plan in place.
Resources and Guidance
Planning and preparation can only occur before something bad happens. The start of a new year is the ideal time to get the ball rolling, and a great place to begin your journey is by visiting www.DefeatTheBreach.org. The site requires free registration, but in return you will receive educational resources, valuable policies, procedures and checklists, and access to experts who will help you prepare for a world where cybercrime is commonplace.
This concludes our four-part series on Practical Cyber Security for Small Business. If you are looking for more guidance on managing cybersecurity in your organization, please contact the author.