Enterprise incident response plans must improve

Year after year, the number of major cyberattacks and their ramifications continue to grow. Despite recent attempts in Washington to expand cybersecurity rules and undermine organized hackers, studies are starting to show that ransomware attacks, the biggest threat of all, keep increasing.

Ransomware’s involvement in data breaches rose by 13% over the past year — more than the increase in the previous five years combined. What’s more, only 19% of cyber risk executives report feeling highly confident in their organization’s ability to understand and respond to cyber threats.

To increase attack readiness, companies should take corporate incident response plans (IRPs) more seriously. IRPs create detailed directions for dealing with specific attack scenarios to mitigate damage and reduce breach recovery time and clean-up costs.

According to the latest global report examining businesses’ effectiveness in preparing for and responding to cyberattacks, surveyed organizations have slowly improved in their ability to plan for, detect and respond to cyberattacks over the past five years. Nonetheless, their ability to actually contain an attack has declined by 13% in the same period. They found that respondents were hindered by the use of too many security tools, as well as a lack of specific playbooks for common types of attacks.

While security response planning is slowly improving, the same report found that 74% of organizations surveyed still said that their plans are either ad-hoc or applied inconsistently — and in some cases, simply don’t exist.

Too often, far too many companies sidestep the reality that cyberattacks typically occur out of the blue and happen quickly. Most of all, they still think that an appropriate response is mostly just the responsibility of the cybersecurity team. In fact, far more people have a role to play, and they have to know what to do and what not to do in the wake of a cyberattack.

All the required players — the board of directors, company executives, managers and other team members — need to rectify any potential problems with their test response before a live cyberattack puts immense stress on the organization. The first time they implement their plan should never be in the middle of a cyberattack.

In fact, they should prepare for a possible attack in much the same way that a hospital emergency room prepares for an ambulance coming to the hospital in the aftermath of a car accident. This way, C-suite executives and top management know exactly what to do and how to do it.

Of course, improvement of IRPs is hardly all companies must do to mitigate cyber breaches. Other needed steps include the adoption of more automation, better cybersecurity training and more creative hiring of scarce cyber professionals.

Nonetheless, IRPs arguably belong at the top of the list of required cybersecurity improvements because so many sizable companies have already been breached and may well be again, making a strong incident response plan imperative.

A few statistics are telling. For example, more than 60% of the Fortune 1000 have suffered at least one public breach over the past decade. In addition, nearly two-thirds of security professionals polled said they believe their organizations will have at least one major cybersecurity breach over the next 12 months.

What specific measures should they adopt in creating a strong IRP, preferably applicable to both big and small companies? Here are some tips:

Preparation

For starters, assemble the players on the incident response plan team. After choosing them, make sure their contact information is stored and that they understand their particular role and how they fit into the team. A team member — one equipped with a line of communication to management — must be appointed to take overall responsibility for incident response and be empowered to act quickly.

Detection and analysis

The enterprise goal is to stop the breach as quickly as possible. The National Institute of Standards and Technology (NIST) provides a list of some of the more common cyberattack methods, which can be used as a starting point to determine how and where the attack originated.

Containment and recovery

When hit by a breach, ignore the instinct to securely delete every possible source in a bid to get rid of the culprit. This isn’t good because of the potential to destroy important evidence required to determine where the breach started and to devise a plan to prevent a repeat attack. Instead, focus on containing the breach so it doesn’t spread and further damage the company.

Eradication

After containment, find and eliminate the root cause of the data breach. All malware must be securely removed. Security patches need to be installed and passwords for users with breached accounts may also need to be reset. Updates also should be applied.

Post-incident priorities

Analyze how the security team can identify similar incidents in the future and stop them more quickly. Assess the cause of the incident and the severity and damage. Then begin the notification process. Privacy laws such as the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) require public notification of a breach.

Because cyberattacks are always evolving, a constant process of continual improvement is necessary. After everything is cleaned up, a post-event meeting with the IRP team is essential to learn what can be gleaned from the data breach. Lessons learned from real and simulated events help prevent future attacks.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.