As many organizations have learned – often the hard way — cyber-attacks are unavoidable and data breaches will happen. Attackers are increasingly relentless: when one tactic fails, persistent adversaries will try others until they breach an organization’s defenses. At the same time, technology is increasing businesses’ vulnerability to attack through increased online presence, broader use of social media, mass adoption of mobile devices, increased usage of cloud services and third parties, and the collection and analysis of big data.
Cyber-attacks are complex and motivated by complex factors, ranging from ideology and financial gain to commercial espionage and even nation state-driven agendas. The threats are constantly evolving, targeting all industries, while becoming more prevalent and high profile. Today’s cyber criminals are patient, persistent and sophisticated — and they attack not only technology, but increasingly people and process weaknesses.
Organizations that prepare for the inevitable cyber-attack can be better prepared to react effectively and manage brand damage post-breach. Organizations that have an incident response plan, which has been tested with an experienced team, can find the impact of a breach significantly reduced.
Organizations should be prepared to respond quickly and effectively when the data security defenses are breached. Here are my top five recommendations for building and organizing a cyber-security incident response capability.
Create an incident response policy. The incident response policy is the foundation of the incident response program. It defines which events are considered incidents, establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents, among other items.
Develop an incident response plan. The incident response plan provides a roadmap for implementing an incident response program based on the organization’s policy. The plan indicates both short- and long-term goals for the program, including metrics for measuring the program. The incident response plan should also indicate how often incident handlers should be trained and the requirements for incident handlers.
Develop incident response runbooks. The incident response runbooks provide detailed steps for responding to a security incident. The runbook should cover all the phases of the incident response process and steps to follow during a specific security incident.
Select people with appropriate skills. The credibility and proficiency of the team depend largely on the technical skills and critical thinking abilities of its members. Critical technical skills include system administration, network administration, programming, technical support, and intrusion detection. Teamwork and communications skills are also needed for effective incident handling. Necessary training should be provided to all team members.
Establish policies and procedures regarding incident-related information sharing. The organization should communicate appropriate incident details with outside parties, such as the media, law enforcement agencies, and incident reporting organizations. The incident response team should discuss this with the organization’s public affairs office, legal department, and management to establish policies and procedures regarding information sharing. The team should comply with existing organization policy on interacting with the media and other outside parties.
About Us: Ashco Systems is a leading provider of cyber security, network and cloud technology solutions. We work with our clients through their most difficult times, providing advice and hands-on response capabilities, to help reduce the impact of an incident and bring it to a conclusion in a safe and efficient manner. Together, our proactive and reactive approaches help to mature your overall incident response capability. Lessons learned from incidents and proactive initiatives are constantly assessed for their effectiveness, improved on for efficiency and put into operation to mitigate cyber attacks in the future.