March 19, 2020   •   2 minute read

The Key Components Of Cyber Incident Response

No company is immune to cyber threats.

After all, you always hear about the massive data breaches: A 2019 cyberattack affected 106 million customers of Capital One. In 2017, cybercriminals stole from Equifax the personal information of more than 140 million Americans—including social security numbers, addresses, and more.

But the largest portion of attacks, some 43% according to Verizon, target small businesses.

An effective cybersecurity program must go beyond simple antivirus programs and firewalls, especially as new threats emerge in 2020.  

Most organizations, smaller ones in particular, grossly underestimate the costs and impact of a successful cyberattack on their daily business operations. Some breaches cause permanent damage or shutter businesses for good. 

That’s why every organization needs to have a cyber incident response plan in place that starts with preparation and continues through response and recovery, with the ultimate goal of returning to day-to-day operations as quickly as possible when a breach occurs.

 

Preparation

Hypothetically, if you were hacked, what would you do? 

The point of preparation is to devise a detailed response, so you’re ready when an attack comes.

Preparing for a cyber breach takes a commitment to security from all levels of your organization. Overarching security practices and procedures should be outlined in a Written Information Security Program (WISP), a document that covers everything from password policies to social media use. 

An incident response plan is one aspect of a WISP, and it should be as detailed as possible:

  • Who takes the lead on response? In other words, who is your organization’s cybersecurity leader? 
  • Who needs to be notified about the breach, and how will you reach them? 
  • What’s your PR strategy? 
  • What are the next steps? 

Preparation continues with education and training. Just as you stage fire drills, simulating a cyber breach will prepare you for when one inevitably occurs. Because in cybersecurity, small fires become big, expensive fires rather quickly. 

A good Managed Security Services Provider (MSSP) is a useful ally here, not only in providing education, training, and support, but also the 24/7/365 visibility needed to detect breaches before data is stolen or systems are encrypted. 

 

Identification, Containment & Analysis

There are no more hypotheticals or simulations. You’ve been breached. 

Appropriate planning will make a huge difference in your response: Partnering with the right MSSP provides quick detection, while the right infrastructure, physical or otherwise, enables you to isolate the threat, preventing a company-wide shutdown. 

Assuming those elements are in place, the first phase of incident response is understanding the scope of the breach and launching your response plan.  

During this phase, your cybersecurity team should be identifying the following: 

  • What systems are acting abnormally and potentially affected
  • How you’ll communicate with decision-makers to coordinate the response
  • Any security gaps that should be immediately addressed

The next step is containment, when your defense attempts to limit the damage of the breach. Having an organized approach to incident response and the support of an expert cybersecurity team will reduce the scope and length of a cyber breach. 

 

Eradication & Recovery

Once the attack is contained, your response team will eradicate the infection so that the organization’s day-to-day operations can resume. 

But that’s only part of your cyber incident response goal. It’s not enough to prevent monetary loss—which can mount if the breach shuts down a business for an extended period of time. You also need to identify and address the security failure that led to the breach, and implement countermeasures to ensure it won’t happen again. 

Recovery is the last step of the incident response process, but it’s not an end. Organizations need to be constantly vigilant, with 24/7/365 monitoring and visibility, to avoid future compromises.