In the event of a cyberattack, how does your business respond? Since a cyber incident is an (inevitable) possibility, do you have a plan?
Can you recover quickly and maintain your good reputation? Without a fast Emergency Cyber Response Service – ECRS in place, you will not be prepared; you will not understand the type of cyber security incident response capabilities you require or the level of support you need.
A well-developed Emergency Response Plan saves money and time with every incident. A 2020 Cost of a Data Breach report from IBM showed that organizations without a tested emergency response plan incurred costs of $5.29M US, whereas those with tested strategies shrunk that cost to $3.29M US.
What is an Emergency Cyber Response Service?
When an attack is discovered, every second counts. As time passes, more data and files are encrypted, and more devices are infected, ultimately escalating costs and potential damage. Immediate, methodical, and skilled action must be taken.
Following a breach, you need qualified cybersecurity staff to provide emergency response services to reduce the impact of the incident on your business quickly.
There are three phases to a good incident emergency response service. Each part contributes to the incident at hand, offers more confidence to the security team to adequately manage it, and helps to provide learnings for enhancing cyber security for the future.
1. Analysis and preparation
In the words of the Boy Scouts, ‘Always Be Prepared’. Preparing for a cyber incident starts with an assessment of the business, how it operates, and the challenges of identifying security gaps.
Once a pre-emptive incident response plan is in place, all employees can be educated on response training using simulated exercises. They must be prepared for the types of events and incidents they are most likely to encounter, the specific business sector, systems used, and applicable, evolving risk indicators.
2. The response: containment, eradication and recovery
Much like when dealing with a fire, isolating and containing the threat to minimize the damage takes priority. Failure to quickly isolate infected systems from the network may augment the incident by allowing the malware to continue to encrypt more files on the local system or network shares, thereby increasing recovery efforts.
It typically takes two to three times longer for companies who don’t have an incident response plan to get the support they need after a breach is discovered.
The ransomware must be removed from infected systems across the organization. Depending on the scope of the attack, this operation can be lengthy and may involve both user devices and more pivotal machines and services that have been impacted.
It is imperative to complete containment and identify the root cause of the infection before beginning the recovery process.
Depending on the type of incident, recovery will often be performed in stages with the dual goal to minimize disruption to normal operations and to ensure operational continuity.
For effective recovery, you need to know what you will be recovering – hardware, software, data, digital assets. After going through the analysis and preparation phase, you will have a detailed inventory and priority list of physical and digital assets relevant to recovery.
3. Post-incident and communication
Once the incident is defended, reviewing the incident log and the response with relevant stakeholders is crucial – the lessons learned will improve processes and ensure future incidents are managed well and potential impact minimized.
Some questions to ask and answer:
- What was the time, location, extent of the damage?
- Who discovered the attack and how?
- How was the incident reported?
- Was it an internal or external cause?
- When did the security team get involved and when did the processes start?
- How quickly was the incident contained and eradicated?
Coordinating the work of multiple people and systems requires effective communication, and in the confusion and uncertainty of a cybersecurity incident, this becomes paramount. Proper communication to suppliers, customers, senior management, and the media drafted by Emergency Cyber Response experts is of the utmost importance – none of these groups should find out about the breach in the news.
There is no time for complacency. Risks can evolve with disorientating speed, cascading disruptions resulting in dramatic breakdowns. The WEF Global Risk Report for 2021 includes ‘failure of cybersecurity measures’ as a threat that can cause a significant negative impact for several countries and industries within the next 10 years. The bigger picture is sophisticated ‘cybercrimes resulting in economic disruption, financial loss, geopolitical tensions and or social instability’.
How ENHALO can help
ENHALO’s Emergency Cyber Response (ECR) service turns your incident response plan into a proactive program that improves incident response times, lowers costs, and implements a continuous improvement process to strengthen your overall security defense.
We ensure that you do not adopt inconsistent or inappropriate cyber security incident response approaches that solve problems but don’t create a defense for continuous future protection.