Fast Lane to Incident Response Success
Is your incident response plan up to speed? Should your company suddenly face a data breach or a security incident, is your team prepared? If you do not have a documented, practiced plan you will find yourselves playing catch up which could greatly increase the resulting damage to the organization. It is important to realize that even before you detect a breach or realize that there has been an incident, you are already in “Incident Response Mode” and there are important steps you need to be taking before, during, and after an incident.
Before a Breach – Stop What You’re Doing!
I’m not alone in saying this, most experts agree – it is not if your company faces a security incident or data breach but, rather, when. You see the same news reports I do. Retailers hit with point of sale malware, breaches costing healthcare organizations millions in HIPAA fines, clever phishing schemes targeting employees, and increasing threats to remote access systems – the risks are very real. But I am more convinced with every major breach that most of these incidents can be avoided with attention to basic IT Security best practices. For those that cannot be avoided, being prepared in advance can greatly mitigate the potential damage and headaches for your organization.
Make a Plan
A security incident will inevitably surprise you. It will not fit into your calendar. But, if you suffer a malicious attack, the hackers will be executing a well thought-out, practiced plan. By the time you realize a breach has occurred (which may even be weeks or months later), you are already behind. In a crisis is not the time to get organized, assign vital tasks, and make decisions. Stop and do it now.
Train Your Employees
If every member of your team is prepared to execute your incident response plan knows their role in the first critical steps, you will be able to ramp up quickly to respond effectively. Virtually every person in your organization will have a role to play should you face a breach. End users working in your systems, IT personnel and executives all need to understand what will be expected should an incident occur and they need to be alert to any warnings or instructions you give.
Monitor for Signs of Trouble
Once your plan is in place and your team is prepared, you can rest assured that you can respond effectively to any incident that may occur. It is important to have systems and processes in place to monitor systems and networks for anomalies or suspicious access. Many breaches go undetected for weeks or even months. The sooner you can identify and respond, the better.
In a Breach, Proceed with Caution
When a breach is identified, set the wheels in motion alerting your team and, as appropriate, your entire organization with clear, pointed instructions. If you have established a relationship with a security vendor or third party to assist in your breach response plan, alert them right away. If you do not have an established relationship or a retainer arrangement with incident response experts, contact someone as soon as possible. You can reach Loricca’s Incident Response team at 813-600-3005.
When you see trouble, do not panic. Important data and forensic evidence may be lost if you reactively shut down systems you believe have been affected. Work quickly to stop any data leakage and quarantine affected systems so that any malware or malicious code will not spread deeper in your network.
As soon as you realize you have experienced a security incident or suffered a breach, begin gathering as much data as possible. Save system logs, record anything that was noticed by end users or IT personnel and document everything in detail. This documentation will help you understand what has occurred and how. It may also help you avoid potential regulatory action or high penalties.
After a Breach – on the Road Again
Depending on the cause and nature of the breach or incident your company has suffered, there may be important remediation steps you will need to take to resume operations securely – and possibly to regain compliance. You may discover significant or costly remediation that is needed but that cannot all be undertaken or accomplished immediately. When this is the case, it is still important to create a plan for addressing those issues as soon as possible and to document this plan for regulatory and possibly legal purposes.
If nothing else good comes of it, some valuable lessons are inevitably learned during a security crisis. You will discover weak areas in your systems but also in your processes. As the result of lessons you take away from the experience as well as changes that you make in your systems following the incident, your incident response plan must be updated, revised, and, with the information you have gleaned, improved. Have someone (or several people) close to the incident and the response process thinking about the changes that should be made along the way. Gather notes and feedback along the way, do not wait until you are past the incident when details may be fuzzy. But, as soon as you can, have a debrief meeting to discuss what you have learned, changes that need to be made, and ways to improve your plans and processes going forward.
As soon as the dust settles on the issues (if not before) and you have reviewed and revised your incident response plan and related policies, schedule employee training. Consider the appropriate and necessary level of training for staff at all levels of your organization and make this revised/refresher training a priority. Even before you have any indication that there is a problem, you need to realize that your company is in Incident Response Mode. When you are just in the “Before” phase, there are still vital steps you must be taking to prepare your company to launch an effective response. If you do not begin this process well before the first sign of trouble, you will find yourselves playing catch up.
Get IR engines revving now to be ready to kick into high gear when you need to and you will not regret wasted valuable time. How fast you respond to an incident matters!