What will you do when your sys admin tells you they think your systems may have been breached? How will you respond if a cyber crime law enforcement agent calls to tell you your data has been found on the dark web? If these questions evoke any response except an assured calm mental review of your Incident Response Plan, then you have some work to do immediately!
Whether you manage your Information Security in-house or utilize a Managed Security Services Provider (MSSP), your systems and data are a target for someone. Large company or small, no business is immune from cyber crime in today’s connected and online world. While there is still a premium on data breaches at large multinational corporations, small businesses have seen a remarkable increase in attacks over recent years, since they are often seen as a connected link into some large corporation. An Incident Response Plan may be similar to liability insurance in that you hope you never have to use it, but you need to have it just in case. A quality MSSP like Intrinium will be able to assist in developing a plan if you do not have one, or they can review and help mature your existing plan.
There are hundreds of samples and model Incident Response Plan templates available on the Internet, and depending on your specific business, you may be driven to a particular model based on regulatory or legal requirements. But here are a few things that must be included in any plan for it to be effective.
- “Who ya gonna call?” Since a potential breach might be detected by anyone, including that new hire or even an intern, having ready and clear information on who to contact and how to trigger your Incident Response Plan is vital. It should also be clear that there will be no negative repercussions for a false alarm. You do NOT want people hesitant to report a possible problem.
- “Who’s on first?” Your plan needs to include technical, business and management representatives right from the start. Controlling the investigation, owning the chain of command on any evidence gathered, and managing the information release to customers, business partners and the press are all aspects that need to be defined. You likely do not want your sys admin talking to the press any more than you want your legal counsel capturing system logs.
- Do’s and Don’t’s: Be sure that players know what is expected of them, and what they should NOT do in terms of investigating. While it is true you want to capture as much data as possible, as quickly as possible, you may need to engage law enforcement before potentially destroying evidence by performing a system restore.
- Documented and Practiced: If your plan isn’t written, it will fall to pieces under pressure in the heat of the moment. After it is written, it should be practiced routinely to ensure all participants are fully aware and ready to engage. Both unplanned practice and mock “fire drill” executions are best. Planned tests will not have the emotion or sense of urgency associated with a live event. Unplanned fire drills help people work through those jitters before your company’s survival is at stake.
The goal is minimizing data loss and restoring normal business operations, so speed is of the essence. But speed must be balanced with meticulous care. Execute your Incident Response Plan with the expectation that you will be going to court with the results; to prosecute your attacker, defend yourself from lawsuits, or most likely both!