By Jason Compton
As more business becomes digital and data governs more of our lives, cybersecurity incidents are climbing in frequency, intensity and innovation. It’s a struggle to safeguard sensitive information and protect the trust of customers and partners. No organization can insulate against every risk, but being ready to respond quickly to a potential threat or active breach can make a huge difference in the scope of damage and long-term aftermath.
Glen Combs, a partner in the cybersecurity services group at the accounting, consulting and technology firm Crowe, says that growing organizations can easily lose track of the risks of the applications and systems that run a business. “Our data environment today can be chaotic. So many technologies and applications are tied into so many data sources that it can be hard to capture the full potential of a cybersecurity threat,” he says.
Unfortunately, it’s still common for companies to learn just how under-prepared they are the hard way — in the teeth of an active cybersecurity breach or significant incident, with little idea how to respond. “Especially in the small-to-mid-sized business market, we regularly find preparation not in place, and that applies to technology, processes, business agreements and people,” Combs says.
Being ready now can go a long way when ransomware strikes or an employee flags a suspicious transaction. Take these steps to prepare.
1. Know Your Risks And Options
Your preparedness plan should go beyond a technology map that might be decipherable only to IT professionals. Have plain-language answers ready for these key questions:
- Do you have backups? Are they of high enough quality that you would actually run your business on them, if need be?
- Do you know which cords to cut, literally or figuratively, if you need to protect compromised systems or data?
- Do you know how to reach key technology partners and vendors, including cloud providers?
- Do you have agreements in place with a qualified cybersecurity firm and a law firm experienced in breach response?
And answer for yourself, in plain language, how valuable each element of your business would be to an attacker. That discussion will help you prioritize security and response strategies. The answer might be different, not just for different departments and networks but also for related companies in a larger group.
There are often warning signs of impending threats and a trail of malicious activity. Unfortunately, most small and mid-sized organizations don’t have key foundational elements of a security program in place, and these warning signs and evidentiary artifacts aren’t identified or even available in most cases. If you’re struggling to wrap your head around these issues, managed detection and response services can make it much easier to identify your vulnerabilities and protect against future incidents.
2. Change Your Response After The First Minute, The First Hour And The First Day
Cybersecurity incident response is not a straight line. Like with any disaster response, both the needs and the response will evolve as the acute crisis fades and the longer-term impact becomes clear. If your building were on fire, you would respond differently in the first minute (evacuation) than you would in the first week (planning to rebuild).
A good incident response strategy should include containment, recovery and prevention. But the first hour won’t be a fruitful time to educate users or implement new security strategies. Any “prevention” that early will be a quick fix, like taking wide swaths of the company offline.
3. Talk To Your Legal Team, Early And Often
As cybercrime has become more sophisticated, so has law enforcement and liability related to cybersecurity incidents. That makes your legal advisors essential to cybersecurity threat response. “They will want you to have forensic resources in place. They will want to be able to help you prove beyond a reasonable doubt what you did or did not lose. And they understand the laws you will have to deal with,” Combs says.
He adds that a surprising number of companies seeking help to deal with an active cybersecurity incident are unsure whether they have cybersecurity insurance, what coverage it offers and whether that coverage mandates that certain steps be taken after an attack. “Just sorting out the legal and insurance issues can take 48 hours if you’re unprepared,” he says.
That’s time your response and recovery team might be stalled in their tracks, particularly if legal or insurance partners insist on a particular chain of custody or cybersecurity practitioner to be employed.
4. Remember (And Apply) Lessons From Tabletop Exercises
Simulating a cybersecurity incident to test your response capability and workflow is a time-honored and effective way to prepare for the real thing. If, that is, you actually recall the takeaways and make the adjustments exposed by the exercise. If your response team has any significant turnover between scheduled exercises, consider holding a catch-up session. If your response time is taking so long that it’s disruptive to your standard operations, look for shorter frameworks of 15 minutes or less. If you’ve never done any tabletop role play of cybersecurity incident response, now is a great time to start.
It’s especially vital to quickly respond to any gaps in end user training exposed by a tabletop exercise or real-world breach. “End users are still the weakest link in the cybersecurity world,” Combs says. “Investing in your people will produce tremendous returns.”
Jason Compton is a writer and reporter with extensive experience in enterprise tech. He is the former executive editor of CRM Magazine.