In today’s threatening digital environment, cyber breaches are more common than ever. Data breaches so far this year have jumped 29 percent from the same time period in 2016, according to the Identity Theft Resource Center. As a result, more businesses are experiencing downtime and financial loss. And the less prepared a company is to handle a breach, the longer it takes to repair the damage and get back on track.
Working to prevent a cyber attack is critical, but it’s also important to create a cyber incident response plan so you’ll know how to handle a breach if – when – one occurs. This type of plan will guide you through a data breach, outlining the necessary steps to minimize damage, get the incident under control and reduce downtime. The 2016 Global Economic Crime Survey from PwC revealed that only 37 percent of companies have a cyber incident response plan—putting the majority of companies at great risk for suffering long-term, devastating damage.
Here are 7 key steps to creating your cybersecurity incident response plan:
1. Contact the right people at the right time
As with any corporate crisis, there should be a chain of command for notifying the proper individuals who will handle a cyber breach – and the order in which they are contacted. This includes contacting IT personnel, your cyber liability insurance provider and general counsel. These key people, plus any others your organization may establish, play a pivotal role in handling cybersecurity issues and should be aware of the situation at all times.
2. Preserve critical evidence
Cyber evidence is often tainted or destroyed when a company tries to contain a breach quickly. Before shutting down key systems and limiting access, take memory images of existing data and files to preserve any evidence, which can establish whether or not a cybercrime was committed. It’s also important to ensure log data is preserved and accessible for investigation.
3. Cut off access
An important step in stopping a cyber breach from doing any further damage is cutting off or limiting access to the network, email or other platforms. While this may cause temporary disruption, it can prevent the attack from spreading further. To understand how unauthorized users may be accessing data, look at the Mitre Attack Matrix or the Cyber Kill Chain, which outline different threat techniques and stages of cyber attacks, respectively.
4. Determine the extent of the damage
Before you can take steps to remediate a cyber breach, you must first establish what happened and the level of pervasiveness. By determining your level of exposure, you can rightly assess what data was compromised and who was affected. From there, you can begin implementing other stages of the cyber incident response plan to fix the vulnerability and notify affected users.
5. Contact industry-related regulatory departments
If your company is in a highly regulated industry, like healthcare or financial services, you may be required to report cyber incidents to a governing industry authority. Even non-regulated industries often have strict protocol for alerting affected consumers and remediating any damage. It’s important to understand and follow these requirements to avoid being fined or sued.
6. Remediate the damage
Remediation depends on the extent of the damage and what capabilities were in place, such as disaster recovery and backup. With real-time backup, companies can easily pick up where they left off, but with nightly backup, at least one full day of production is lost. To fully remediate the effects of a breach and bolster your systems to prevent another, you will likely need to use a cybersecurity professional, whether in-house or outsourced.
7. Incorporate lessons learned
There are always lessons to be learned after facing a cyber incident. After completing the steps in this process, go back and review how each task was handled—assessing what worked and what didn’t, as well as any new factors that should be considered. Then, integrate these things into your existing cyber response plan and practice them regularly to ensure the plan is up to date and your company is prepared.
Many companies fail to recognize the risk of cyber breaches and therefore neglect to prepare for those threats. Consider the recent NotPetya ransomware attack, which wreaked havoc on some of the world’s largest corporations. Most of the affected companies were able to bounce back in a matter of days, but one company, Maersk, suffered two weeks of business disruption and $300 million in losses. Following an incident model, such as PICERL (Preparation, Identification, Containment, Eradication, Recovery and Lessons learned), can ensure your company is prepared to handle a cyber incident. How an organization handles a cyber breach – and the amount of damage one is allowed to cause – is directly tied to the company’s level of security and preparedness.