By Nathaniel C. Gravel, CISA, CISM, CRISC
I spend my working hours doing all that I can to help clients avoid becoming a cyberattack victim. Layered defenses, penetration testing, constant monitoring, employee training, multi-factor authentication, “red team” simulated phishing – we use all the tools in our bag to identify and deter “bad actors” from accessing data or breaching networks.
But it does not always work. No plan is perfect, and cyber criminals spend millions of dollars each year developing more sophisticated methods to infiltrate defenses of organizations both large and small. Which is why two of the most important components of an effective cybersecurity defense are a response process and business recovery plan.
A Response Plan Can Minimize Damage
If, despite the most determined efforts, a cyberattack occurs what do you do? I mean right now. If you see a message on your screen that you are locked out of your system by a ransomware attack, what should your first step be? When you discover a data breach that has exfiltrated thousands of client files, who do you call first?
The immediate response to a cyberattack will go a long way to containing the damage and preventing an event from turning into a disaster or escalating into a catastrophe. That’s why it is essential to have a step-by-step game plan in place for reacting to a catastrophic event, whether it is a cyberattack, fire, or natural disaster
The National Institute of Standards and Technology (NIST) lists four key parts for the most effective incident response plans:
- Preparation – Establish a response team with specific duties, to include members from management, IT, facilities, operations, and communications. Each member should be assigned a role and trained in how to execute it. Response checklists should cover critical steps such as data recovery procedures, incident reporting requirements, equipment replacement lists, customer communications processes, and mitigation of damage to key assets. Time is money, so the plan should include a recovery time objective (RTO) to make repairs, restore systems and minimize downtime so you can resume operations as soon as possible.
- Detection and analysis – Once an incident is discovered it should be classified immediately. Typical cyberattacks include data breach, denial of service, phishing scam, malware, unauthorized access, and ransomware. The depth and breadth of the intrusion should be determined, then remedial steps implemented to stop further damage.
- Containment, eradication and recovery – Depending on the type of attack, pre-planned steps to stop data loss, recover lost data, replace damaged equipment, or either circumvent a “lock out” due to ransomware or pay the ransom. Preparing an alternative network and “clean” devices that are separate from those that have been breached can help you get back up and running more quickly and securely. Document all steps and preserve evidence for legal and insurance purposes, and for post-incident analysis and planning.
In the case of a ransomware attack, a tolerance level should be established in advance as to how much the organization is willing to pay to recover use of its network – debating the issue once an attack has occurred will only cause more lost time and damage. For example, if the decision is to pay the ransom, you should have a cryptocurrency account established in advance so that you will be able to pay off the cyber criminals and recover your data. Every hour of delay is costly. - Post-incident activity – Depending on the type of information exposed and the size of the breach, you may be legally required to take certain steps and notify not only those affected but also government agencies or other organizations. Once the incident has been declared “closed,” invite all relevant parties to analyze the attack with an eye toward strengthening defenses, and review the response effort to identify improvements to be made before the next attack.
Business Recovery Begins Before an Attack Occurs
At the same time your team is implementing your cyberattack response plan, the organization’s business recovery and continuity plan should also be activated. This should include both short-term actions such as restoring data from backups and making sure all technology and systems are “clean;” and longer term steps including increasing staff training, strengthening layered defenses, and improving security measures. While the primary goal should always be to have systems up and running as soon as possible, a secondary goal must be a commitment to increasing vigilance against further cyberattacks.
Nathaniel Gravel is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP, a consulting, accounting and business advisory firm based in Canton, MA. He can be reached at ngravel@gggllp.com.