Preparing for cyber attacks is often a shortcoming in many organizations. In this article, we look at how to develop an effective incident response plan and give an overview of five steps that should be taken during an incident.
It’s the call that IT teams fear: An employee reports that his PC screen is flashing red with a message telling him that his files are encrypted and that he has to pay a ransom to decrypt them. What should they do next?
The actions the company takes in the next few minutes and hours will determine how large – or small – the impact of the cyber attack will be. In addition, a cyber attack not only negatively impacts the company’s physical IT systems, it also causes stress and puts pressure on employees.
A recent paper published by the University of Haifa found that cyber attacks have a strong psychological impact on all employees by increasing their levels of anxiety, stress and panic – which can lead to errors and further damage.
So how should companies proceed to eliminate these human, panic and emotional responses to cyber incidents and develop a better coordinated, conditioned response?
You can never train enough
An important example is the strict training of pilots in dealing with unexpected events: they receive comprehensive checklists and procedures covering practically all eventualities, from fuel spillage and engine failure to structural damage. And these procedures are repeatedly practiced both in simulators and under flight conditions, so that their reaction in an emergency situation in real time becomes an automatic reflex action. The result is that the pilot and co-pilot first switch off the warning alarm in the event of an incident so that they can think clearly and go through the corresponding checklist.
For companies, a variety of checklists and plans for all kinds of contingencies are more of an obstacle. It is more important to set up a powerful team in order to be able to react quickly and precisely to injuries or attacks. This includes an incident response team that includes all relevant internal stakeholders such as IT and security specialists, HR and PR teams and, in some cases, specialized external resources. Preparation alone is not enough: The team’s start of work must be practiced through realistic training exercises.
Five important steps
To help companies develop faster and more effective responses, here are five important steps they should follow, whether in a training exercise or after a real incident.
1. Identify the relevance of the incident.
The decisive first step is that the employees take the attack seriously and act quickly but without panic. Think of the ideal response to a fire alarm in an office building: everyone should immediately stop what they are doing and make their way to the exits without stopping to look for personal belongings or empty their desks. A cyber event should receive the same immediate attention and concentration. Once identified, all employees must be alerted, smoothly and efficiently, and clear, calm instructions must be given as to what to do next, whether they simply move away from their workstations or shut down their PCs or equipment.
2. Collect the resources you need.
This means mobilizing the security tools and technologies, as well as the trained personnel that make up your organization’s security infrastructure, so they can focus on minimizing the incident. It’s clear that not all employees need to be involved in this phase. That’s why it’s about bringing together the right experience and the right expertise – quickly. Your Incident Response Plan should specify what personnel should be involved and whether external security resources should be used.
Of course, it’s not cheap to put together a combination of tools and talent. But the investment and time needed to build effective defences is eclipsed by the real cost of cyber attacks in terms of repairing immediate damage and its consequences. For companies that experience an average of two cyber attacks a week that violate their defences, it is clear that it is much better to invest in attack prevention than to pay the far higher cost of subsequent repair.
3. Execute your Incident Response Plan.
This is the active phase in which you should work through your Incident Response Plan step by step to determine what the nature of the attack is, how it has breached your defence, how it can be isolated, and how the damage can be repaired. For companies that do not have an Incident Response Plan at hand, it may be wise to call in external experts at this stage.
Too often companies stop in stage three. But communication about the attack is important – not only for all your internal stakeholders and employees, but also for external stakeholders such as partners, customers and investors. This is becoming a regulatory requirement: For example, the EU Data Protection Regulation (DSGVO) requires cyber attacks to be communicated to the outside world within 72 hours of detection of a data protection violation. All stakeholders, both inside and outside your company, need to understand what happened and what the implications are for them – in a language adapted to their level of technical understanding.
This is a special phase that should be in the hands of trained communications staff. The revelations about e.g. Ubers Cyberbreach 2016 and the subsequent cover-up are a lesson about how not to communicate – and the consequences that can result.
Once again, this is a truly critical element of the incident response that is all too often neglected. Any cyber-attack should produce serious learning effects for the company concerned. After an attack, active measures should be taken to address the vulnerability, modify and improve the exploited process, retrain and deploy any faulty personnel, or optimize the existing incident response plan. The inability to learn from cyber protection and take action to improve cyber protection after an attack makes the organization vulnerable to a similar attack that recurs.
The effective response to incidents is about training and practice. Developing and updating an incident response plan requires work and investment – but during a cyber attack, these investments pay off. Whether you decide to handle your incident response internally or rely on external expertise, it’s important to create a plan now and test it against possible attack scenarios. This will help prevent panic during an attack, limit the damage and consequences of the incident, and get your business back to normal as quickly as possible.