by Scott Jack Content Contributor, E-N Computers 7+ years experience in healthcare IT and tech support.
Businesses of all sizes are affected by cybersecurity incidents. Small businesses in particular are seeing a sharp increase in cyberattacks as they become easier and relatively inexpensive to carry out. Because of this, it’s important to proactively improve your computer network security and a plan in case you become a victim of cyber crime.
Developing a cybersecurity incident response plan ahead of time gives you the ability to recover more quickly and with less worry than approaching the situation unprepared. In this article, we will touch on some common types of cybersecurity incidents, the stages of incident response, and who your partners will be when you are affected. First, let’s discuss what constitutes a cybersecurity incident.
How should we respond to a cybersecurity incident?
When you are dealing with an event that could jeopardize your data and systems, you need to be able to act fast. Develop an incident response plan (IRP) now that identifies your response team members, their roles, and the process you will follow. It will include limiting the damage, investigating your vulnerabilities, restoring your data and systems, and improving your security.
A cybersecurity incident can be described as “an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems.” (DHS, 2016) Common examples include ransomware attacks, hacking and infiltration, data breaches, and extortion.
In a ransomware attack, your data is locked away for ransom. This could happen opportunistically or you could be targeted. In either case, the attacker surreptitiously installs software on your computer system that encrypts, or locks, your data away with a secret key. They then demand ransom money in exchange for the key. If a business follows government guidance and refuses to pay a ransom, any encrypted data becomes irretrievable. Remediation typically involves resetting the computer to a like-new state and restoring data from backups.
Hacking and infiltration is an intentional attack with the purpose of finding vulnerabilities, getting login credentials, or adding backdoors to your systems. It could also have a surveillance purpose: to observe digital behaviors and procedures within your organization that enable a more targeted attack. Hacking can, but does not have to, result in a data breach.
Data breaches occur when data is accessed by an unauthorized person or group. We are all familiar with major data breaches like T-Mobile, Equifax, and OPM. They often result in the exposure of personal information like name, social security number, financial details, and passwords. They can be carried out by state-sponsored attackers and hackers looking for information to sell. They are also inadvertently, negligently, or maliciously caused by company employees.
Extortion is also a cybersecurity threat. In extortion schemes, criminals make a threat and demand payment. This might consist of blackmail, where sensitive information will be released if they are not paid. Or they may threaten a DDoS, or distributed denial of service, attack that renders your website and other critical network services unusable by flooding them with traffic. Another possibility is stealing and holding information hostage for ransom.
Just as the field of technology continues to change, so do cyberattacks. So it is important to stay alert, to maintain good security hygiene, and to have a plan in place in case you become a victim of cyber crime. That plan will require the cooperation of an entire team. Who should be involved?
Get the Cybersecurity IRP Worksheet
Developing an incident response plan requires that you have access to multiple resources. Don’t scramble for this info when you have a cybersecurity incident — keep it organized and in one place with our free IRP Worksheet.
Don’t have time to fill out the worksheet right now? Enter your email address (totally optional!) and we’ll send you a link so you can download it later or share it with your team.
Assemble a Cybersecurity Incident Response Team
Successfully recovering from a cyber incident requires the involvement of several partners. Though all will play a part in your recovery, each has their own area of focus. Consider the following essential roles.
Response coordinator. Designate a member of your staff who will communicate with your partners, receive status updates, and make sure that the project continues to move in the right direction. This should be an executive so that they can make decisions as needed and advocate for the business’s interests.
Insurance company. General liability and cyber liability policies cover different things. Cyber insurance is designed to handle expenses incurred from cyber attacks like business interruption costs, breach notifications, disaster recovery, legal expenses, and direct losses such as electronically stolen funds and ransom payments. Be familiar with what each policy covers as well as your coverage limits.
Legal counsel. If you are dealing with a data breach, your lawyer will guide you through notification requirements. They can also assist you in reporting the incident to law enforcement.
Incident response and forensics company. This partner will perform a thorough investigation to determine what was accessed and compromised, identify vulnerabilities that contributed to the breach, and provide recommendations on how to harden the security of your systems. Your insurance company may choose this company.
IT support company. Your IT support company is an invaluable resource during incident response. They will assist with finding and removing compromised machines from your network, restore data and systems, complete recovery and system improvements, and monitor your network for future attempted intrusions or data exfiltration.
For the most efficient response, you want to have these relationships in place before you are hit by an attack. In advance, talk with each partner to find out what will happen when you call them to handle a cybersecurity incident. Your notes from these conversations can help you plan and feel more prepared. Now let’s consider the stages of cybersecurity incident response.
Stages of Cybersecurity Incident Response
Incident response can be divided into four stages: evaluation, investigation, restoration, and recovery and follow-up.
Evaluate the Situation
Proactive detection can help you to catch an incident before it causes extensive damage. It is critical to act promptly when an incident is detected. The goal at this stage is to stop the situation from becoming worse. Compromised computers should be immediately disconnected from the network. You will want to make an initial determination of what is affected and isolate key systems to prevent further damage. Your incident response and forensics (IRF) partner, along with your IT support, will complete a comprehensive analysis of impacted data and systems.
Investigate In Detail
In addition to determining what was affected, you need to know how it happened and how to prevent it in the future. Your insurance company and IRF will be interested in the answers to these questions. Your IRF partner will examine your systems and processes for vulnerabilities that enabled the incident, and make recommendations for hardening your security.
Restoration of Data and Systems
Now restoration of data and systems can begin. Having BDR and business continuity plans will help this stage move more smoothly. Follow the modified processes in your continuity plan to keep doing business with minimal disruption. Meanwhile, Your IT support company will verify that your backups were not compromised, then begin to restore the data. They will also rebuild servers and workstations to ensure no malicious software remains. This process can be slower than desired depending on the course of the investigation. However, when you keep spare equipment on hand, your IT support can use these to complete the restoration process more quickly.
Recovery and Follow-up
Depending on the severity of the incident, it may take a while to fully recover. As incident response wraps up, your IT support and IRF will look for lessons learned like how to improve your incident response process. They will also focus on making improvements to your systems and processes. This may include upgrading your firewall, enabling multi-factor authentication, and implementing better security practices.
As cyber threats become more prevalent, security must be taken seriously by organizations of all sizes. As a small business, a cybersecurity incident can be devastating. To protect yourself, it’s important to have a solid IT arrangement. Does your IT meet the goals and challenges of your business? Our IT Maturity Evaluation is designed to let you self-assess four key IT areas: Partnerships, Strategy, Systems, and Settings. At the end it will provide steps you can take to improve your organization’s IT maturity.
Next Steps: Learn More Downtime and Disaster Recovery
A cybersecurity incident can result in some significant downtime, especially if you are not well-prepared with good partners and a detailed plan. However, other types of problems can cause downtime, too. To find out about other common causes of downtime, what it costs small businesses, and how to mitigate your risk, read the article, What Is the Cost of Downtime for Small Businesses in 2021?
Regardless of whether you are hit by a cybersecurity incident or some other system failure or data loss, it is important to have a backup and disaster recovery plan (BDR). We have made it easy for you to get started on your BDR with The Ultimate Guide to Backup and Disaster Recovery (With Templates). We encourage you to get started today!
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.