Responses to cyber incidents and breaches demand immediate action, but you might not know how to convey actionable steps when a cyber-attack has occurred. Planning ahead is essential to preventing response paralysis from cyber-attacks. Resources will need to be able to mobilize quickly to protect data, stop the attack, and minimize damage. Additionally, depending on the amount and sensitivity of compromised data, regulations may dictate how quickly you need to communicate with affected parties.

A breach is most likely inevitable at some level for most companies or customers due to the increase of virtual activities in the current environment. By forming a specific cybersecurity incident response plan, your organization can be prepared for that eventuality.

Developing the Plan

Organizations of all sizes and types are vulnerable to cyber intrusion. Increasingly, the decision to develop a plan is not a choice; some industries may require you to demonstrate certain controls around electronic data. The 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley (GLB) Act, and the 2002 Homeland Security Act, which includes the Federal Information Security Management Act (FISMA), mandate that health care organizations, financial institutions, and federal agencies, respectively, protect their computer systems and information. Regardless of whether you have federal agencies to report to, it is important to develop and follow a plan that is practiced with regularity that allows you to understand how to isolate a breach, confirm it has stopped, and communicate to affected parties after you assess the cause of the damage.

Document, Document, Document

Documentation of the plan and your response to an incident will be essential. Maintain an elaborate document containing the procedures for isolating a breach of the systems under your control. Next, ensure the plan details what happens to the infected systems, including how information about the breach is transferred to the parties that need it. You may even consider a plan that includes which third parties need to be involved in the response. For example, some organizations may have legal resources evaluate what responsibilities and obligations the organization has to communicate data breaches to affected parties. Others may use an information security forensics team to track down points of intrusion and vulnerability.

Consider undergoing a cybersecurity exercise to test how the documented plan and response functions in a simulated attack. Some organizations may choose to conduct these exercises every quarter or twice a year, to ensure representatives across the business—and possibly other consultants—know how to respond in the event of an attack. These testing exercises may also be tailored to specific types of attacks based on your organization’s direct experience with past information security breaches or vulnerability to certain types of intrusion based on its data or systems configuration.

Isolate the Breach

Remember that the key to incident response is being able to trust in a plan at a time when emotions and stress are running high. The cyber incident response plan should have clear protocol that enables you to isolate the breach as expediently as possible. Once you have confirmed the incident has been isolated, you can begin to measure the damage. Here is where a third-party information security team generally assists in tracking compromised data and systems. It’s important to understand not only the “what” of the breach, but also the “when” the breach occurred and the methodology the cyber intruders used as well, as these will highlight what to do in the remediation phase of the plan.

The isolation of the breach protocol should also ensure that systems return to operational capacity as soon as the breach is contained, even as the fallout from the breach is being remedied.

Assess the Cause and Damage

Response time and communication are critical in the aftermath of the incident. Your organization will need a plan in order to communicate to customers and associates regarding the breach if their data was compromised. Communications will vary based on the type of attack and which data were compromised.

After the assessment of the situation, it’s time to evaluate the type of incident you are facing and remediate your plan to account for known deficiencies. Primary vulnerabilities and risks that contributed to the incident should be noted, and robust control activities may need to be implemented to ensure future information security protection.

Keep careful record of the steps taken to remediate the cause of the breach as you are working through the plan. Elaborate documentation of your assessment not only helps in resolving the current situation, but it can also be kept for future reference or if there is a liability concern from affected parties.

Thinking Ahead Pays Off During Incidents

A response plan to a cybersecurity event will be your guide during situations when time is of the essence. These plans are not automated and will need continuous updating as systems evolve and other needs change.

For more information about how to improve your cyber incident response plan, please contact Ray Gandy or another member of our team.

Published on February 16, 2021