No company is immune to cybersecurity incidents. Unfortunately, they're one of the most common and urgent information technology problems in companies today. While it’s the high-profile data breaches – like the latest to hit Facebook, exposing the personal information of 50 million users – that get the most attention, the reality is that we see small- to mid-size companies experience cybersecurity attacks and data breaches way too often. The global average cost of a data breach is $3.86 million and takes 69 days to contain. Companies that act quickly to contain the breach and conduct damage control suffer less.
No two cybersecurity incidents are the same. But they all inspire the same reaction: dread and panic. Whether one of your employees fell for a phishing scam or your data has been breached by an unknown external entity, you need to act fast.
In an ideal world, you already had an incident response plan in place before the cybersecurity incident occurred. An incident response plan establishes how your organization will respond to a data breach or cyberattack, defines your risk tolerance, identifies your most critical data and classifies the types of incidents that might occur. Then, it sets explicit instructions for how to respond, with a clear, detailed, step-by-step procedure.
Assuming you don’t already have an incident response plan in place, you need to quickly create an on-the-fly response plan following a cybersecurity incident. These are the steps to take:
Step 1: Assemble a Team
You’ll need a team to manage the situation. This includes someone to “quarterback,” with a high-level view of what’s going on, as well as people in the weeds doing the work to analyze the incident and clean it up. Whether your quarterback is your CIO or someone else, their job will be to gather information from the rest of the stakeholders and assign roles.
Depending on your industry and the type of incident, your team might also include stakeholders like your attorney(s), a PR team focused on crisis response, regulatory bodies, and law enforcement. Knowing who all these people and organizations are in advance will help you make the right calls immediately.
Clear communication is necessary for your team's success. Your quarterback should oversee frequent and timely updates with every other stakeholder. From the moment you identify the incident through the end of your cleanup and analysis, everyone needs to be informed at all times
Step 2: Shut the Door
Obviously, stopping the attack and staunching the flow of data into the wrong hands has to happen as quickly as possible. Most mid-sized firms turn to an outside technology partner that provides managed IT support to do this critical work. You may already have a relationship with a managed service provider (MSP) or a managed security service provider (MSSP) that knows your business and your technology, or you might be faced with finding an MSSP or cybersecurity consultant quickly. Either way, you need to identify managed services roles and responsibilities and shut the door on data loss right away.
Step 3: Analyze the Incident
Make sure you’re thorough in assessing the root cause of the cybersecurity breach and all the consequences as they ripple throughout and beyond your company. What systems have been affected? Where is the bleeding the worst?
Step 4: Conduct Triage
Once you know the extent of the damage, you can conduct triage – putting your effort toward the most critical situations first. This is also the point at which you get systems back up and running in the most effective order.
For instance, if your company conducts critical sales and customer service over email, that might be a system you have to get back online quickly. Or, your ERP system or accounting system might be most important. Ultimately, you’ll want to divide and conquer as a team to ensure you have the right people focused on the right priorities.
Step 5: Clean Up
Once the crisis has passed, it’s time to clean up and get back to business as usual. But you shouldn’t relax just yet. This is the time to think about what you could do differently in the future to prevent this crisis from happening again. Take the time to:
- Ask yourself what worked throughout the incident response process and what didn’t.
- Update your incident response plan based on what your team learned as a result of this incident.
- Make changes to policy – for instance, implement a company policy that no invoices can be paid unless approval outside of email is received, so that the identity of the approver can be confirmed.
- Update the security of your network infrastructure – for example, adjust your firewall to strip off often unused attachments from emails that typically are used to transport ransomware or other malware.
- Increase your end-user training and testing around cybersecurity and phishing.
- Conduct security-penetration testing on a frequent basis (about annually).
And if you haven’t already, put in place a formal incident response plan.
When to Look for Outside Help
Earlier in this post, we mentioned that most mid-sized firms turn to an outside managed IT services partner (MSP) or a managed security services provider (MSSP) following a cybersecurity incident. Here are the main ways the right technology partners can help you respond more effectively every step of the way.
- They have the most up-to-date tools and best-known processes for handling cybersecurity incidents, as well as experience dealing with similar issues.
- They provide the expertise and extra manpower to get you back to business-as-usual as quickly as possible, and their experts typically have multiple competencies that can be harder to find in smaller IT teams.
- They can implement and manage their environment to maintain the security posture to minimize a future incident.
No matter how well you handle this incident, there’s an important thing to keep in mind: cybersecurity threats and solutions will continue to quickly evolve, so any plan you put in place is not a final solution. You’ll need ongoing proactive support to stay actively on top of managing your organization’s cybersecurity.
Whether you’ve recently experienced a cybersecurity incident or are interested in proactively putting a cybersecurity incident response plan in place, contact us today to discuss how to best protect your company.