A Good Incident Response Plan Makes All the Difference
By: Doug Quail, Senior Security Engineer, Insight Canada
Not all cybersecurity incidents are created equal. There’s a range. Malware detected on a single workstation at a company is near the bottom (although it can snowball if left unhandled). Ransomware attacks can be much more serious. Every company connected to the internet — so, every company give or take — should understand the value of a robust incident response plan (IRP).
At Insight, we evaluate our clients’ cybersecurity needs, implement plans and increase their security level with support from our partner ecosystem. One of the things we check is if a client has an IRP and if they are testing it periodically. Every organization should answer “yes” in both cases.
Make creating an IRP a priority.
Companies come in different shapes and sizes, with different priorities. However, a good, annually tested IRP is a big one, regardless of the situation. Smaller companies know that to get up and running everyone needs email, laptops and other collaboration tools. They should think “secure by design” so they aren’t introducing unacceptable levels of risk as they deploy new IT services to their employees.
If your organization is using Microsoft 365 for office productivity applications, it’s a must to enable Multi-Factor Authentication (MFA), endpoint protection, Data Loss Prevention (DLP) and other capabilities. You still want to make sure you’re backing up your data somewhere and you have a basic IRP in place. I’m talking about answering questions like:
- What do I do if the company gets attacked/my data gets stolen?
- Who can authorize a ransomware payment?
- Which law-enforcement agency should I call?
- When do the legal and communication teams need to get involved?
Any company that relies on information systems to run their business should have an IRP. Even small companies with a couple of employees should have a basic IRP. They may have valuable data where losing access to it could mean a major disruption or even potentially the end of the business. Some companies say, “I’m willing to take the risk. I don’t need an IRP. I’ll just respond when an incident occurs,” but they still need to know how.
Many don’t understand the risk associated with being attacked. It’s important to know the consequences and an appropriate level of investment to mitigate the risk associated with a cybersecurity breach. Here are two stats to consider:
- According to Statista, the annual share of organizations affected by ransomware attacks worldwide in 2023 was 72.7%.
- According to IBM’s 2023 Cost of a Data Breach Report, the average cost of a data breach is CA$6.94 million.
If you are attacked, it can cost your organization a lot. The cost-benefit analysis of why it’s in your best interest to prepare for an attack is sound. Not having an IRP may equate to a going-out-of-business strategy.
Putting an effective IRP into action
An IRP may not be easy or quick to develop, but it is frequently required to obtain cybersecurity liability insurance. Without an IRP, insurers will mostly decline coverage or charge you high premiums. Companies need one that’s thorough, and they need to validate it every year, because a plan that is never tested may not work as well as you expect.
So, you conduct an annual tabletop exercise or a breach simulation. In that way, you validate all the contact information, the processes that need to be followed in the event of an incident and where it is. Keeping a single version on the network is counterintuitive if you’re not able to access it.
Aligning with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) makes sense. The “Respond” pillar contains the incident response capability. If it’s a single infected workstation, you’re looking at a response from the deskside support team to isolate the infected machine and reimage the operating system. If a malicious actor is ransoming your business data for a large amount, you may need to get the CEO, board of directors and legal counsel involved. You also can’t legally pay ransom to a threat actor if they’re associated with a terrorist organization, because you could be seen as funding them. Timely legal-counsel involvement is critical, along with clear understanding of who has the decision-making authority to make a ransom payment.
If you’re attacked, you should call law enforcement (local and/or federal). You’re also managing media relations, as it may make the news. Messaging is just as critical to minimize the negative impact on your company’s reputation. You can create templates ahead of time, which is all part of the IRP: What is significant? What is not? Whom do I call, and which processes do we follow?
A cyberattack can happen to anyone.
Before joining Insight, I was a client for three years. I had been working in the energy sector. From personal cybersecurity experience, you have billions of security events coming in monthly from server, network, workstation, authentication and cloud sources. You must distill the security events down to 5–10 cases that need to be investigated.
As an example, if you’re in a situation where you no longer have visibility to your operating facility and you believe your Operational Technology (OT) systems have been compromised, you may have decided in advance to shut down the operating facility. The clarity surrounding when you enact the IRP and how well the processes work are critical to your timely response to a cybersecurity incident.
No matter how big or small you are, how new or how established, a cybersecurity incident can happen to you. What matters the most is being prepared for a worst-case scenario. So, the real value of an IRP is knowing what to do if you get breached. You obviously hope you don’t, but these incidents are often beyond your control.
So, focus on your high-risk areas and put a plan in place to address the risks you face. Make sure your IRP meets your organization’s specific needs and that you test it annually. Good preparation means a good response when you need it.
