Post-breach, organisations often realise they could have avoided significant costs and disruption if only they’d had an effective incident response plan in place.
The Australian government is considering legislation to make company directors personally liable for cyber attacks on their businesses. This interesting recommendation will be good news to many IT executives around the country considering that the number one frustration across Asia Pacific identified by a recent study by Sophos was that executives assume cybersecurity is easy and that cybersecurity threats and issues are exaggerated.
The same study found that 52% of Australian organisations surveyed suffered a cybersecurity attack in 2020, up from 36 per cent in 2019 and according to government research, cybercrime is costing the Australian economy about A$3.5 billion a year.
So how can businesses avoid being the victim of a successful cyberattack? Prepare in advance.
Below are tips for cybersecurity incident response planning that gives you the best chance at thwarting an attack.
- Determine key stakeholders
A cybersecurity incident will impact almost every department in your organisation, especially if the incident turns into a full-scale breach. Consequently, planning for a potential incident should not fall solely on the shoulders of the security team.
Knowing who should be at the table to coordinate a response is something that should be determined in advance. A method of communication also needs to be established to ensure a quick response. This should take into account the possibility that normal channels of communication such as email may be compromised.
- Identify critical assets
To determine the scope and impact of an attack, your organisation first needs to identify its highest priority assets. By identifying these in advance, the incident response team will be able to focus on the most critical assets during an attack, minimising disruption to the business.
- Run tabletop exercises
Practice exercises ensure a more tightly coordinated and effective response when a real incident occurs. Tabletop exercises should test organisational responses to a variety of potential incident response scenarios. This might include the detection of an active adversary, a successful data breach or ransomware attack or having a high-priority system compromised.
- Deploy protection tools
The best way to deal with an incident is to protect against it in the first place. Ensure your organisation has the appropriate endpoint, network, server, cloud, mobile, and email protection available.
- Ensure you have maximum visibility
Before an attack occurs, IT and security teams should ensure they have the ability to understand the scope and impact of an attack, including determining adversary entry points and points of persistence. Proper visibility includes collecting log data, with a focus on endpoint and network data.
Since many attacks take days or weeks to discover, it is important that you have historical data going back for days, weeks and even months to investigate. Additionally, ensure such data is backed up so it can be accessed during an active incident.
- Implement access control
Attackers can leverage weak access control to infiltrate your organisation’s defences and escalate privileges. Regularly ensure that you have the proper controls in place to establish access control. This includes, but is not limited to, deploying multi-factor authentication, limiting admin privileges to as few accounts as possible, changing default passwords, and reducing the amount of access points you need to monitor.
- Establish response actions
To properly respond to an attack, your IT and security teams need to be able to conduct a wide range of remedial actions to disrupt and neutralise an attacker. Response actions include – but are not limited to – isolating affected hosts, blocking malicious files, processes, and programs, freezing compromised accounts and cutting off access to attackers, and finally restoring impacted assets via offline backups.
- Conduct awareness training
While no training program will ever be 100 percent effective against a determined attacker, education programs such as phishing awareness help reduce your risk level. Using tools to simulate phishing attacks provides a safe way for your staff to experience a phish and identify risky user groups who may require additional training.
- Consider a managed security service
Swift and effective response requires experienced security operators. To ensure you can properly respond, consider working with an outside resource such as a managed detection and response (MDR) provider. MDR providers offer 24/7 threat hunting, investigation, and incident response delivered as a managed service.
When a cybersecurity incident strikes, time is of the essence. Having a well-prepared, well-understood response plan that all key parties can immediately put into action will dramatically reduce the impact of an attack on your organisation.