Cybercriminals can strike at any time. Data won’t be lost conveniently just after a backup has been performed, or when systems are temporarily down for maintenance. And it’s often impossible to spot a potential internal threat before they turn rogue.
There will always be some elements of IT security that are out of your control. What you can control, however, is the way you react to an incident.
Oftentimes, when a cyber incident first emerges, you hear people use the words “alarmed” or even “panicked,” but it’s important to remember those words aren’t synonymous. While panic refers to an overwhelming sense of fear, an alarm is a call to arms. And that call is best answered by having an incident response (IR) plan already in place.
Rizwan Jan, CIO of the Henry M. Jackson Foundation for the Advancement of Military Medicine, says creating IR plans is becoming increasingly urgent, partly because of regulations that sometimes result in fines — on top of whatever other damage a firm suffers from a cybersecurity threat.
Besides having a plan to consult, here are four things you can do immediately when you learn that data or networks have been compromised.
1. Define the Incident
Whether an employee inadvertently opens a malicious email attachment or the CEO’s smartphone gets stolen, the first step is to keep calm while analyzing the full scope of potential risk.
Your Cyber Incident Response Plan
Get your free guide to building an effective cyber incident response plan. Download Now
Some incidents can be quickly contained and remediated, while others will require additional information and steps to limit the impact on corporate systems, customer data and other areas of liability.
You can speed up this step by having a clear picture of what your organization’s “crown jewels” are, data-wise, says Jan. You may respond differently depending on whether an incident was due to malicious hacking or an employee error, but in the end, it all comes down to what information winds up in the wrong hands.
Establishing mobile device usage and conduct policies in advance will also make it easier to define incidents, Jan adds.
“What kind of mobile devices are you going to let into your ecosystem? Are you going to prohibit jailbroken devices or allow certain high-risk applications?” he asks. “If you don’t know what data you’re protecting, you might as well not even have an incident response plan.”
2. Armed With Data
Once you’ve defined the incident, it’s time to arm the team with data: the who, what, when, where and why.
In other words, what was the “dwell time” between initial cyberattack and detection? What parts of the network or endpoints have been affected so far, and where might it spread? Who’s most at risk from the initial incident — employees or customers?
On top of those five W’s, Jan adds an H: How. More specifically, how will you conduct the necessary data gathering and analysis unnecessarily interrupting business operations?
“It’s about training your staff to be patient,” he explains. “You’ve got to keep in mind that most incidents are happening in a production environment, so things are moving rather quickly.”
Don’t look just at the data but at the systems you’re using to collect it, Jan advises. For instance, are all your monitoring tools receiving the expected kinds of data? If you’re not getting the coverage you need, it will be tougher to follow through on your IR plan.
3. Assign Roles — and Fast
Addressing a cybersecurity incident will inevitably involve more than the IT department. You may need to assemble a team that includes line-of-business managers, human resources, in-house council, your corporate communications team and even senior leadership.
The point person in all of this will be the incident response manager. If you’re not sure how to find someone with the right skills, consult the Infosec Institute’s 2019 list of the top 30 questions responders need to answer. Jan also suggests looking outside of IT, to someone with a project management background.
“A lot of times, (the IR manager) is not just talking to the technical folks on the ground trying to remediate [an incident],” he said. “They have to pivot the other way and be almost bilingual, in the sense they have to translate that technical jargon to the business leadership.”
4. Begin Remediation
Security issues can be large or small, so your IR plan should have a few potential scenarios and courses of action thought through, based on previous incidents or on what you’ve identified as areas of vulnerability and risk.
Even then, however, you may not always be sure what to do next. Jan suggests learning your industry.
“Become part of the cyber-threat information sharing and analysis community, where members are analyzing the indicators of compromise that are out there,” he says. “That can help you fine-tune your devices and the instruments in your ecosystem so you’re not getting false positives. Also, lean on your vendors. They can help you put best practices in place based on how other organizations are doing it.”