Three Mistakes Business Owners Make During Cybersecurity Incident Response | Domain Technology Partners

Three Mistakes Business Owners Make During Cybersecurity Incident Response

By Haley Clark & Nick McCourt

Imagine you’re facing a worst-case cybersecurity disaster. Your business has been hacked, and there’s ransomware holding your business hostage. What happens now?

Hopefully, you have an IT team, and the first thing you do is reach out to your IT point of contact. If you have cyber insurance, you should be reaching out to your insurer. Your IT team is going to work, often with a forensics team, on Incident Response.

And IT knows what to do. They have a plan and they’re following it.

The Five Steps of Incident Response Are:
1. Preparation
2. Detection and Reporting
3. Triage and Analysis
4. Containment and Neutralization
5. Post-Incident Activity

These are great steps to follow for IT, but what about the rest of us? What do we need to know when something happens?

1. Don’t Touch that Power Button

As cybersecurity experts, we tend to receive the same response from the organization, and sometimes even from the internal IT support: “We need to shut this down now to prevent any more damage. And we need to get back up and running as soon as possible.”

The issue with turning off servers, computers, and applications is that we lose evidence. When the evidence is erased, it becomes that much more difficult to determine who the attack vector is, what the processes were for the incident, and how deep a threat actor has gotten into the organization. This might actually make the recovery process slower.

Turning off compromised equipment is the equivalent of cleaning up a crime scene before the detectives come on the scene. Or, given that the attack may still be ongoing, it might be more like locking the doors while an armed robbery is still taking place at your business.

2. Refer to your Incident Response Plan

You should have an Incident Response Plan — a strategy that details who to contact, who to bring in, and what to do when an incident occurs. This includes working with insurance or a data forensics team.

We create Incident Response Plans for the same reason we do fire drills: to ensure everyone knows what to do before the worst happens. An Incident Response Plan, like a fire drill, can help prevent panic and mistakes, identify weak points, and ensure you’re prepared.

If you don’t have a plan, refer to your Chief Information Security Officer (CISO) for help in creating one. And if you don’t have a CISO, it’s time to consider it. MSPs, like Domain, offer CISO as a Service (CISOaaS) for organizations that want flexibility and great support at the same time.

3. Understand That Incident Response is a Process

It’s a team effort to mitigate an incident. It’s also a team effort to prevent incidents. It takes cooperation, time, and planning. Your management team, insurance, IT team, and cybersecurity all need to work together to make sure you’re taken care of.

Remember that you lessen the chance of an incident or breach when you have multiple security layers. Look to your security layers before an incident happens:
• Managed Detection Response
SIEM (Security Information and Event Management)
• Internal Vulnerability Scanning
• Monthly Phishing Campaigns
• Documented IT Policies
Experienced and Proactive Managed IT Services
• Backups

Note that having these items in place falls into Due Diligence: You can’t guarantee that you won’t have a breach or a serious incident, but you can prevent being fined on top of the cost of dealing with a breach. Working with an IT Managed Services Provider or CISO to help build up your security layers is your biggest opportunity to move forward. Interested in learning more? Reach out to Domain to talk more about what IT could be for your company.

Domain Technology Partners IT Assessment

Join us for a free virtual discussion on Incident Response

What is your strategy for an incident? What are your steps to mitigate incidents? What will you do if your company ever faces a breach?

Join us for a panel discussion on Thursday, April 29th at 10:00 AM. Three leading cybersecurity experts from Domain will discuss how you can implement an incident response plan to protect your business from a breach.

We do IT differently.

Find out what sets us apart from all the other IT companies out there.

We do IT differently.

Find out what sets us apart from all the other IT companies out there.