Cyber Security is a threat to all businesses
Predicting the future is risky business, especially in the current environment of large uncertainty. But one thing we can be sure of is that cyber security incidents will continue to grow in sophistication and impact. In fact cybercrime is up 600% due to the COVID pandemic. (1)
COVID-19 and the ongoing pandemic has sped the adoption of digital technologies by several years and pushed companies over the technology tipping point, transforming businesses forever.
To stay competitive and cope with the new demands of remote working, new strategies and practices have been adopted. Technology is now the number one strategically important critical component of a business, not just a source of cost efficiencies.
Businesses have adopted web-facing, interconnected IT systems, CRMs and others bringing their accounts online at a staggering pace. Consumers have moved dramatically toward online channels and businesses have been forced to take a quantum leap to meet the demand. It seems no one can live with out the internet which has presented a number of new challenges on a cyber security front with cyber hackers finding new and sophisticated methods to attack.
As a business owner its your responsibility to comply with legal responsibilities and to protect your customers, staff and clients sensitive data. Cybercriminals have hit payday dirt turning their attention to smaller and unprepared businesses who have little to no defences making intrusion and attacking much less labour intensive.
It is a matter of when, not if your business will be attacked and having a cyber security Incident Response plan will ensure you have a process to follow in the event of an attack so you can respond quickly and effectively. We also recommend a cyber risk management plan to mitigate the impact of a cyber attack which works alongside the Incident Response plan.
Increase in cyber breaches reported in the last 12 months
Cyber security is a priority for senior managers.
of business do not have an incident response plan
What is an Incident Response Plan?
An incident response plan is a guide to the procedures your business will follow in the event that a cyber attack occurs within your business. An Incident Response plan should describe the types of incidents for which it will be used and outline actions that need to be taken to minimise the loss of life, property and data during and after an attack.
An Incident Response Plan should contain the following
- Activation details including a clear statement of the circumstances, and who is authorised to do so.
- Details including key roles and responsibilities of the Incident Response Team.
- Evacuation procedures
- Communication plan including key methods, timings and responsibilities
- Detailed contact list including staff and emergency services
- An event log to record information, decisions and actions you take during a crisis
Two-thirds of businesses have been a target of Ransomware. It's a matter of when.... are you prepared? We can help you start.
Why does your business need an Incident Response Plan?
Businesses must be able to identify and respond quickly in the event of a cyber attack. Regardless of the size of the breach, businesses must have an incident response plan in place to mitigate the risks of a cyber attack.
The top reasons your organisation needs an Incident Response Plan are:
1. Reputational damage
It is reported that 78% of consumers would take their business elsewhere if directly affected by a data breach. If a security breach is not handled properly and in a timely manner the business risks losing some or all of its customers.
2. Loss of revenue
Any breach is a risk for revenue loss and small to medium businesses can be greatly affected by a data breach. In fact, 60% of small and medium businesses go out of business after 6 months following a data breach. On top of the company revenue expenses such as legal, remediation, forensic investigation and regulatory and compliance fines need to be considered.
3. Minimising impact for others
It is imperative to contain the cyber attack as quickly as possible. Identifying the biggest impact on the business is important to make the priority to minimise or eliminate the disruption to other employees or aspects of the business. An Incident Response plan will help you identify the issue of where the cyber incident occurred and how you should react.
4. Data Protection
An Incident Response plan provides your team with a roadmap on how to proactively protect your data. Important measures such as regular backups, leveraging logos and security monitoring to detect attacks, proper identity and access management and patch management should be implemented across the business before an attack occurs.
Complying with regulations is also important when dealing with sensitive data. If a data breach occurs you need to know how to deal with that situation and establish what data has been compromised quickly. If your business does not comply with the local regulations, you could be up for fines.
Getting Started with your Incident Response Plan
Any business with digital assets is exposed to experiencing a cyber attack. Unfortunately, most don’t realise until it’s too late. An Incident Response plan will help you prepare for the inevitable and equip your teams with the knowledge of what to do before, during and after a cyber attack.
Your security plan should be updated on an ongoing basis – it is a live document – driving recurring detection and response activities such as:
- Threat Hunting
- Cyber incident investigations
- Incident response
- Remediation and recovery
By performing ongoing activities you will improve your security posture and protect your business from threats, hidden attackers and protect you from data breaches.
We have broken the process into 5 phases: Preparation, Detection, Response, Recovery and Follow Up.
The first phase of planning and arguably the most important in protecting your digital assets. In this phase, you will document, outline, and explain your IR teams roles and responsibilities including establishing a Security Policy that will guide all cyber activity.
- Categorise data, its location, sensitivity and value.
- Identify IT resources required – establish if any 3rd party suppliers are required.
- Assign roles and responsibilities for relevant stakeholders – IT, HR, Internal Communications, Customer Support, Legal, PR and advisors.
- Executive support is imperative to ensure buy-in from the rest of the business.
- Assign a chain of command: Who is the incident leader? Who launches the plan? Who has ‘stop work’ authority such as the emergency shut down of websites?
- Workflow the plan considering the different stakeholders. When is Legal involved? When is the media alerted? When do you report an incident to ACSC?
- Update 24*7*365 contact information for all incident response team members, backups and managers.
- Identify cyber regulatory requirements across all departments and provide guidance on the responsibilities to law enforcement and government agencies in the event of an attack.
- Maintain a list of preferred technology suppliers for hardware, forensics and other related services.
- Establish procedures for IT teams to receive actionable alerts for malware.
- Ensure ‘privileged credentials are stored in a secure centralised vault.
- Rotate privileged credentials automatically, isolate account sessions for casual employees and schedule regular scans for orphan accounts.
- Provide quality Security Awareness Training for employees to educate them on how to spot and respond to phishing attacks.
- Ensure backups are secure, regular and isolated from the main infrastructure.
- Develop a Communications Plan to enable swift action with notifications internally and externally.
Detection & Analysis
The detection phase includes monitoring, detecting, alerting and reporting on security events. This includes identifying known, unknown and suspect threats. When an incident is identified your IR team (or 3rd party supplier) should immediately collect and document information to determine the severity, type and danger of the incident.
- Develop a detection strategy based on tools that will proactively scan your physical and virtual hosts, systems and services for vulnerable applications, identities and accounts.
- Implement Endpoint Detection & Response (EDR) to detect malware.
- Assessments and audits are required to verify whether your network has been breached.
Responding to an incident may include triaging alerts from your endpoint tools to determine which threats are real and the priority in which to address security incidents. An IR activity can also include containing or preventing the spread of the threat by isolating, shutting down or disconnecting infected systems from the network. Additionally, IR operations include eliminating a threat altogether.
- Contain systems, networks, data stores and devices to minimise the incident and isolate it from spreading.
- Establish what data has been affected and the risk to the businesses.
- Delete or remove infected files and replace hardware if required.
- Log the incident and the response activity including time, data, location, and extent of damage from the attack. Details such as who found it, how it was reported, sources, times and what stage the security team was involved.
- Preserve all evidence and details of the breach for future investigation.
- Prepare communications including PR releases.
- Update network security to capture evidence.
- Engage any legal resources and review compliance risks.
- Contact law enforcement if applicable.
- Report the incident to the ACSC.
More on legislation and compliance
In an effort to significantly improve the cyber posture of Australian businesses the Australian federal government will mandate compliance across the 8 cyber security controls of the Essential 8 framework currently for all 98 non-corporate Commonwealth entities known as NCCEs). To comply, they must meet all 8 strategies and undergo a comprehensive audit every 5 years commencing June 2022.
All Australian businesses with an annual turnover of $3 million are required to report any data breaches to both impacted customers and the Office of the Australian Commissioner (OAIC) within 72 hours.
All breaches are likely to result in serious harm to individuals and customers must be reported, to be safe, all breaches must be reported to the OAIC.
In addition, the ACSC produced the Australian Government Information Security Manual (September 2021) – (ISM), which states:
Organisations are not required as a matter of law to comply with the ISM, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. Furthermore, the ISM does not override any obligations imposed by legislation or law. Finally, if the ISM conflicts with legislation or law, the latter takes precedence.
While the ISM contains examples of when legislation or laws may be relevant for organisations, there is no comprehensive consideration of such issues. When designing, operating and decommissioning systems, organisations are encouraged to familiarise themselves with legislation such as the Archives Act 1983, Privacy Act 1988 and Telecommunications (Interception and Access) Act 1979. (2)
- Complete a comprehensive report that includes details of the attack and what effects it had on the rest of the business.
- Hold a review meeting with executives to establish whether the response was appropriate and what steps are needed to further improve the security posture.
- Share the lessons – what went well and what didn’t and what needs to change for future processes.
- Review, test and update the IR plan – not just after an incident, it is recommended every 6 months or if there is a change in business circumstances.
- Proactively scan and monitor systems, networks and devices to ensure there are no vulnerabilities.
- Keep cyber security front of mind for all staff – this is “everyone’s responsibility”
The goal of an Incident Response Plan is to help your business avoid, mitigate and respond to a cyber attack in a considered and timely manner. Developing a cyber security IR plan is an ongoing management exercise, not a one-off event – it should be reviewed and updated regularly to be effective.
Businesses should introduce IR training and exercises including live attack scenarios to strengthen their cyber security posture. What worked in the past might not work tomorrow. The right IR plan should be a living document that is up to date and considers the evolving threat landscape.
Need help with your Incident Response plan?
- Cyber stats in 2021 (Source): https://www.titanfile.com/blog/15-important-cybersecurity-statistics-in-2021/
- Source: Australian Government Information Security Manual.
- Source: Essential 8 Maturity Model
- 134 Cybersecurity Statistics and Trends for 2021. Source: https://www.varonis.com/blog/cybersecurity-statistics/