Before Cyber Disaster Strikes: Developing a Cyber Response Plan
Businesses face a continuously evolving cyber threat—one that can strike at the most inopportune time. When a cyber incident does occur, a sound cyber response plan can be the difference between fending off a damaging attack with reputation intact or suffering a catastrophe to both financial and reputational bottom lines.
Despite this, many organizations fail to have a plan in place. In 2012, one consulting firm found that 73 percent of organizations surveyed claimed to have an incident response plan. A similar 2014 survey found that number dropped to just 56 percent. And of those with a plan in place, less than half had tested it within the past year. Pierre Audoin Consultants found similar results in the European Union, where nearly 40 percent of companies had no response plan.
Obviously, something is missing. Maybe it is simply an understanding of the importance of having a cyber response plan or the knowledge of where to start.
Fortunately, businesses do not have to start from scratch. For example, The National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide 800-61 v2 is a great starting point.
The graphic below outlines the NIST guidelines for an organized incident response.
Looking at other models, we see common elements and phases for an organization to have a credible cyber response. They are:
- Plan, Build, Resource
- Monitor, Detect, Analyze
- Respond, Mitigate, Eradicate or Contain
- Review and Learn
Plan, Build, Resource
Build concurrence. Build resources. Build your experts.
Conduct a thorough risk assessment. Warning: Being too optimistic could leave you vulnerable to attack, but being too cautious unnecessarily impacts the bottom line. Finding the right balance for managed risk is key.
The risk assessment sets the foundation for the rest of your decisions regarding your response plan and should include consideration of the source of possible cyber risk (criminal, insider threat of either nefarious or negligent character, supporting vendor failures, etc.), how it might impact the key functions of the company, how customer data might be impacted, how company brand reputation could be affected and legal ramifications, among other risks unique to your own company’s situation.
With risk assessment in hand, you now need to think through—and put on paper—the actions required, the responsible parties, intended outcomes and notification actions required to address each step of a measured response.
Thinking in terms of event flow is helpful, but be aware that many actions will need to take place simultaneously, or may occur in an order that departs from what you expect. Shared responsibility for executing the plan will enhance its chances for success and provide flexibility for when things don’t happen in the order you may have expected. Even if responsibility is shared, it must remain clear who has directive authority at any time within a response and that person (or position) needs to have good support from responders in the form of clear and consistent information flow for solid situational awareness.
We also recommend that organizations consider creation of Computer Security Incident Response Teams (CSIRT) that will focus on different aspects of the organization’s cyber response. Having this level of dedication can be expensive, but it will prove priceless when the time comes for a credible cyber response.
With a draft of the plan in hand, follow these 5 Rs: Release it, Resource it, Rehearse it, Refine it and Repeat it. Finally, publish it and ensure that the company knows about it and that the key players are ready to be part of an effective response.
Monitor, Detect, Analyze
To successfully respond to a cyber incident, an organization must be able to see an incident as soon as possible or even as it occurs. Detection, monitoring and analysis are crucial. Convincing leadership of return on investment in detection expertise and tools is tough, but can be achieved by highlighting the cost avoidance revealed by the risk assessment process. Having the right tools in place, configured correctly and monitored by a knowledgeable staff, is expensive, but in light of possible impact, is worth it.
Respond, Mitigate, Eradicate or Contain
This is where your investment in experts pays off. Your staff, having identified an incident and augmented as needed by personnel from cyber security third-party vendors, executes the plan. The threat is quarantined or neutralized, damage is assessed, mitigation actions put in place to restore operations, clean-up and validation of data accomplished and the system restored to a normal state. In the meantime, your response team executes parallel actions to appropriately communicate with leadership, personnel, vendors, customers, law enforcement, the press and shareholders. The value of a CSIRT becomes obvious as some personnel focus on the technical response and others focus on implications and communications.
Recovery is more than bringing things back to normal. This is also where your team ensures that all required reports are submitted. Having a plan helps the accuracy and timeliness of these reports. This is also where your team will validate that normal operations truly have been restored.
Review and Learn
In the immediate aftermath of an incident, you enhance your investment in cyber security by methodically seeking to understand what happened and what could be improved upon to prevent a future similar incident. Participating where possible in initiatives to share information about incidents and responses across organizational boundaries can provide valuable insights.
The cyber response cycle doesn’t stop. Once a given incident is put to bed, you should already be looking at how to improve the response plan. Redo the risk assessment; update and revise the plan; update, educate and train the CSIRTs and leaders. Your constancy in seeking to improve your resilience will pay off in readiness to face the next threat and in real value to your company’s bottom line.