Immersed in the throes of a cyberattack is not the time to figure out how to respond. An expert offers suggestions on how to create a company-specific incident-response plan.
Your small business is doing OK. You hope this year’s Christmas season will be a blockbuster. Last year, COVID nearly destroyed the business. This year should be different: Forecasts look good.
It’s late at night, why would my partner be calling me now? “What’s up Harry?”
“Hi Tom, can you try getting into the network? I can’t.”
“Let me try. That’s odd; I can’t get into the database—access is denied.”
“That’s what I get as well.”
These business owners are about to have several difficult days and at least one hard decision to make. Their business is experiencing a ransomware attack. Their employees are unable to work. Customers are calling because the company website isn’t working. They have no idea what to do now. It’s a mess.
SEE: Security incident response policy (TechRepublic Premium)
Tech media and marketers have all sorts of solutions, most of which are too expensive for small-business owners with tight budgets. They’d rather gamble on being left alone by the cyber bad guys. However, that ends up being a problem if the company is targeted by a cyberattack. Who does what and when?
Failing to plan is planning to fail
Every company has a business plan. Jim Bowers, security architect at TBI, believes even the smallest of companies should have a cybersecurity incident-response plan, designed to help those responding to a cybersecurity event in a meaningful way.
Bowers understands that small business owners might be leery of independently creating a document and process that could make or break their company. To help assuage their fears, Bowers has created the following outline as a starting point for building a company-specific incident-response plan. Bowers divides the outline into three time periods: the first hour, the first day and once the dust settles.
In the first hour: Limit and isolate the breach
After discovering there has been a cyberattack, the first step is to contain the threat, even if that means taking everything offline. The next step involves locating the damage, determining what systems were involved and identifying if data has been compromised. This ensures the situation does not spiral out of control.
The above steps may require calling in experts already familiar with the company’s digital infrastructure and business assets, so having their contact information available is essential. With that in mind, do not use traditional communication methods—the attacker could be intercepting the conversations (email or digital voice). Bowers said: “The attacker wants to propagate across the company’s infrastructure, so digital traffic needs to be rerouted to prevent the attack from spreading.”
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
If the breach involves ransomware, Bowers suggested not paying. “There is no guarantee the cybercriminals will return access to the sequestered data if they are paid,” he said. “And, if the cybercriminals receive payment, there’s no guarantee they won’t try again.”
In the first day: Document and work on recovery
A breach doesn’t stop once it has been mitigated. The attackers are hoping that’s the case, as they tend to leave backdoors simplifying their return. Bowers said, “Make it a high priority to determine the attacker’s entry point and work to close that gap and other potential entry points.”
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
The following list includes suggestions that should be accomplished within the first 24 hours of the cybersecurity incident:
- IT managers should debrief and work on removing all known traces of the attack and perform a system-wide examination for additional weaknesses related to the cyberattack.
- Engage internal parties (marketing, legal and PR teams) and external parties (law-enforcement and governmental agencies) that need to know, or to meet required government regulations.
- Once the internal teams have a chance to communicate and craft a strategy, customers need to be informed.
- It is vital to document all information about the attack—what worked and what did not help when trying to stop the attack. This information should then be used to correct and improve the incident-response plan.
Once the dust settles: Learn from it
Once the dust has settled and the business is back online, an all-encompassing audit—including a penetration test—should be undertaken. Bowers said this is important so the incident-response plan can be updated to help responsible parties learn how to react quicker. The incurred cost will be less than having to suffer through another cyberattack.
It’s also important to routinely test the incident-response plan. Digital infrastructure and processes can change, and testing will shed light on new weaknesses such as contact information that is no longer valid.
Get more details for your plan
Bowers is aware that the outline is only a starting point, but it gets the ball rolling before the unspeakable happens. For a more detailed incident response plan, please check out the National Institute of Standards and Testing’s Cybersecurity Framework.