Three Mistakes Business Owners Make During Cybersecurity Incident Response
By Haley Clark & Nick McCourt
Hopefully, you have an IT team, and the first thing you do is reach out to your IT point of contact. If you have cyber insurance, you should be reaching out to your insurer. Your IT team is going to work, often with a forensics team, on Incident Response.
And IT knows what to do. They have a plan and they’re following it.
The Five Steps of Incident Response Are:
2. Detection and Reporting
3. Triage and Analysis
4. Containment and Neutralization
5. Post-Incident Activity
These are great steps to follow for IT, but what about the rest of us? What do we need to know when something happens?
1. Don’t Touch that Power Button
As cybersecurity experts, we tend to receive the same response from the organization, and sometimes even from the internal IT support: “We need to shut this down now to prevent any more damage. And we need to get back up and running as soon as possible.”
The issue with turning off servers, computers, and applications is that we lose evidence. When the evidence is erased, it becomes that much more difficult to determine who the attack vector is, what the processes were for the incident, and how deep a threat actor has gotten into the organization. This might actually make the recovery process slower.
Turning off compromised equipment is the equivalent of cleaning up a crime scene before the detectives come on the scene. Or, given that the attack may still be ongoing, it might be more like locking the doors while an armed robbery is still taking place at your business.
2. Refer to your Incident Response Plan
You should have an Incident Response Plan — a strategy that details who to contact, who to bring in, and what to do when an incident occurs. This includes working with insurance or a data forensics team.
We create Incident Response Plans for the same reason we do fire drills: to ensure everyone knows what to do before the worst happens. An Incident Response Plan, like a fire drill, can help prevent panic and mistakes, identify weak points, and ensure you’re prepared.
If you don’t have a plan, refer to your Chief Information Security Officer (CISO) for help in creating one. And if you don’t have a CISO, it’s time to consider it. MSPs, like Domain, offer CISO as a Service (CISOaaS) for organizations that want flexibility and great support at the same time.
3. Understand That Incident Response is a Process
It’s a team effort to mitigate an incident. It’s also a team effort to prevent incidents. It takes cooperation, time, and planning. Your management team, insurance, IT team, and cybersecurity all need to work together to make sure you’re taken care of.
Remember that you lessen the chance of an incident or breach when you have multiple security layers. Look to your security layers before an incident happens:
• Managed Detection Response
• SIEM (Security Information and Event Management)
• Internal Vulnerability Scanning
• Monthly Phishing Campaigns
• Documented IT Policies
• Experienced and Proactive Managed IT Services
Note that having these items in place falls into Due Diligence: You can’t guarantee that you won’t have a breach or a serious incident, but you can prevent being fined on top of the cost of dealing with a breach. Working with an IT Managed Services Provider or CISO to help build up your security layers is your biggest opportunity to move forward. Interested in learning more? Reach out to Domain to talk more about what IT could be for your company.
Join us for a free virtual discussion on Incident Response
What is your strategy for an incident? What are your steps to mitigate incidents? What will you do if your company ever faces a breach?
Join us for a panel discussion on Thursday, April 29th at 10:00 AM. Three leading cybersecurity experts from Domain will discuss how you can implement an incident response plan to protect your business from a breach.
We do IT differently.
Find out what sets us apart from all the other IT companies out there.
By Jed FearonManaged service providers and managed security service providers are frequently confused. A managed service provider (MSP) is not the same as a managed security services provider (MSSP). While the MSP may effectively function as an MSSP for a small and...
By Jed FearonThe biggest IT problems are the ones you don’t know exist. Organizing your business enabling technology into simple buckets is one of the best ways to track, score, report, and collaborate with your MSP. While the IT world is filled with much more...
Disasters come in various forms,including floods, tornadoes, hurricanes, and fires. Did you ever imagine that a disaster could materialize because of a virus? The COVID-19 pandemic rocked everyone’s perception of nearly everything, including disaster recovery and...