As cyber-attacks become more sophisticated, and numerous, CIOs and CISOs need to up their ability to quickly respond to an attack. Data from Alert Logic’s Threat Hunting Report found that 56% of companies experienced an increase in cyber-attacks last year. Identifying and fixing the breach is the first major step, but there are many other issues that will have to be handled in your cybersecurity response plan, from determining if any government regulations were broken to handling media calls.
Security experts Paul Mazzucco, CSO at TierPoint, Scott Lambert, VP for Alert Logic and Jennifer Rathburn, a partner at the law firm of Foley Lardner, LLP, recently offered their advice on responding to a cyber-attack:
Make use of outside experts
Even in large companies, the internal legal, marketing and IT staff may need help, especially for tasks that require specialized skills, such as in regulatory compliance issues, media relations, forensics and disaster recovery. As Mazzucco noted, “TierPoint has the ability to do forensics and we still call in an incident response group, because they specialize in this kind of work.”
Managed services providers (MSPs) and security services providers (SSPs) can also help with remediation as well as related security services like DDoS mitigation, intrusion detection and prevention, and disaster recovery and business continuity. Due to the rise in DDoS attacks, threat detection and mitigation are increasingly popular services. Incoming traffic may be routed through the provider’s “scrubbing center” to identify potentially malicious traffic and either quarantine it or redirect back to your network.
If you do outsource to an MSP, remember that you ultimately have the liability for break-ins, so don’t blindly rely on your provider. “You need someone in the company who can direct the security program with the provider’s assistance,” said Lambert.
Assign your team
When an attack happens, you should have a response team ready to go. So, assign people to their roles before it happens. That includes vetting legal firms, media consultants, and other outside experts. Rathburn advised: “Get your preferred providers on your team before you’re forced to work with them. You don’t want to be suddenly dealing with forensics people many states away that you’ve never met, or lawyers you’ve never worked with before.”
Have your team practice responding to a breach, because you won’t have time afterward to sort out the details. “You’ll be trying to do your day job at the same time as handling all this data collection and answering questions from upset people,” she said. “So, it needs to be practiced ahead to see how your plan and team hold up.”
Include cyberattacks in your disaster recovery and business continuity plan
If you’re being held hostage by ransomware, having the ability to restore applications and data to within an hour or so of the infection could be a lifesaver. Ransoms can be expensive; according to a new study from Sophos, the average cost per ransomware attack to businesses was $133,000 in 2017, and 54% of organizations fell victim. Additionally, DDoS attacks can paralyze systems and bring business to a halt. It pays to have a disaster recovery and business continuity plan for cyber-attacks. This plan might include such things as frequent data backups, cold or warm standby servers for employees to use if production systems are offline, or having temporary offices or equipment available if computers become damaged or unusable from the breach.
When a breach happens, you need to identify the scope of the problem. Is it a full breach with the potential loss of legally protected data, or something less?
“Not every incident rises to the level of a reportable breach,” said Rathburn, noting that it’s as important for legal reasons as for security issues to fully understand the problem and damage done.
If it’s a small incident, then your own internal IT may be able to handle it. If it’s a breach of protected data or a ransomware attack, however, you may need to call in those outside security, legal and media experts.
For more help in dealing with cybersecurity,
download TierPoint’s Five-Step Security Framework