Cybersecurity Incident? What's in Your Response Plan?

With all the recent data breaches in the news, companies have no excuse for getting caught without an incident response strategy today. But just any incident response plan won't do any good unless it's tailored to your business. The time is now to make sure you're fully covered in the event your data is stolen. Let's take a moment to examine your Cyber Incident Response Plan with a roadmap you can start using immediately.

The threat of cybersecurity breaches has never been more pressing than it is right now. At a cybersecurity conference in Germany on April 30th – a full week before the highly publicized ransomware attack on Colonial Pipelines – U.S. Deputy Attorney General Lisa Monaco issued a stark warning about the rise in cybercrime, stating: "It has exploded, it has become more diffuse, more sophisticated, more dangerous than ever before."  

Far from exaggeration, D.A.G. Monaco simply stated what cybersecurity experts in the private sector have known for years: the threat is real, it is here, and organizations must be ready.  

Who is Really at Risk for a Cyber Incident?  

More than 3,000 publicly reported breaches exposed over 46 billion confidential records last year, prompting security experts to describe 2020 as "the worst year on record" for data breaches.   

Indeed, not every company operates on the scale of Colonial Pipelines or JBS Foods (who also suffered a recent high-profile ransomware attack); but that doesn't mean your company is not at risk. Any company that processes and maintains personal identification data or protected health information is at risk of falling victim to a cybersecurity breach.  

While high-profile ransomware attacks may make the most sensational headlines, the truth is that mundane incidents like hardware theft, lost devices, malicious employees, and unintentional staff mistakes also pose significant security risks for companies of all sizes.  

The Importance of Cybersecurity Preparation 

In an ideal world, organizations with comprehensive cybersecurity defenses in place would be able to completely mitigate the threat of data breaches or cyberattacks using preventative measures alone. Unfortunately, criminals in the digital sphere constantly innovate, refine their methods, and develop intricate new tools to infiltrate business defenses. This requires businesses to maintain cyber defenses and establish clear and effective incident response plans in the event that breaches occur.  

How to Develop a Robust Incident Response Plan 

Developing an effective incident response plan should be an in-depth process tailored to your organization's unique needs but should always begin with strategic pre-planning. And since each organization can be dramatically different from another, even within the same industry or field, you should avoid a one-size-fits-all approach for an effective plan.  

Start developing your incident response plans with this roadmap in mind:   

1. Identification – Also, can be described as the 'question' phase of incident response, where organizations gather as much information about the specifics of possible breaches as they can. The identification phase of incident response comprises the activity of determining whether an incident has occurred. One must identify the most critical assets (data, services, resources) and generate a good understanding of what needs to be protected. Additionally, this information gathering process will include determining when a potential breach occurred, how it happened, what areas are affected, and what the scope of its impact is. Identification is greatly facilitated by integrating comprehensive Enterprise Resource Planning (ERP) solutions, which make tracking system activity straightforward and easy.  
   
   
2. Preparation – As part of an incident response plan, organizations should establish clear protocols and procedures for possible breach scenarios. Developing possible incident scenarios focuses on response plans, identifying the critical roles and responsibilities of team members. Response plans should be well documented, easily accessible, adequately funded, and rigorously tested. This process will include extensive team member training, consisting of both instructional response plan education and regular executions of mock scenarios for practice. You should establish routine timelines for reviewing response plans, ideally at least once annually.  
   
   
3. Containment – Once a company positively determines that an incident has occurred, the next phase of incident response should be a focused effort to contain the threat. This does not mean formatting all your hardware to original factory settings or deleting files en masse in an effort to remove viruses/ransomware. Instead, as team members identify the scope of affected systems, organizations can work to prevent system intrusions from spreading further. Possibilities here include separating systems from compromised networks, restricting remote access, and updating administrative access credentials. Just as it would not be effective to bail water out of a boat that still has leaks, so too must an organization resecure its defenses before you can effectively address cybersecurity incidents.  
   
   
4. Elimination – Once a threat has been sufficiently contained, organizations can work to eliminate it from their systems effectively. This process will include completely removing malware, securely removing compromised files, applying patches and upgrades, and generally updating system software. This process must be extensive, properly funded, and adequately supported by third-party expertise. It is dangerous to go alone, so companies should take the opportunity to secure external support before an incident occurrence. 
   
   
5. Recovery – The recovery process can be lengthy and complex, depending on the scope of the incident. Ideally, companies will utilize routine redundant backups through system imaging applications, which can significantly reduce the time needed to restore systems to pre-incident conditions. However, in addition to restoring systems, companies recovering from incidents must also address the consequences of a breach, particularly in the event of compromised personal identification and health records. Proper external support is vital here, including legal counsel well versed in Notification Law compliance and Cyber Insurance expertise. 

Companies Need Cyberbreach Insurance 

Companies should not try to navigate incident response on their own. Securing the right cyber insurance is an integral part of incident response planning, helping to ensure that organizations can mitigate the adverse effects of an incident as efficiently as possible. 

Dive Deeper: See how mistakes can happen quicker than you think. 

Any company that handles, maintains, or processes personally identifiable (Driver's License Numbers, Social Security Numbers, Dates of Birth, Email Addresses and more) or protected health (Account Numbers, Medical Record Numbers, Insurance Beneficiary Numbers and more) information needs their own Cyberbreach Insurance to protect their organization against claims arising out of ransomware, a rogue employee, a staff mistake, a phishing attack, theft of hardware, lost or stolen laptop or device, and other causes of loss. 

Just as cybercriminals are highly trained experts in their field, so too should companies rely on the expertise and training of cybersecurity specialists. Cyber insurance providers offer support in developing individual incident response plans for organizations and significantly reduce the overall costs resulting from a breach.  

Learn more about all your cyber insurance options, register for our webinar.

Particularly when the amount of money needed to rescue and restore systems is more than a company can afford, the right cyber insurance can literally save a business from complete catastrophe.