Incident Response Planning: Mitigating Risk

By October 29, 2020Data Security
incident response planning

We can do everything possible to prevent a cybersecurity incident, but no security plan is 100% foolproof. As fast as the cybersecurity industry works to roll out new solutions to protect businesses from ransomware and other malware attacks, cybercriminals work to roll out new schemes to penetrate your security, trick your employees, and find a way into your network.

Even the most well developed, NIST-based cybersecurity plan can be vulnerable. That’s why responding to incidents is part of a comprehensive plan. If you’re working with a managed IT provider who guarantees there is no risk, you should be concerned. None of us in the industry can make that promise. That’s why, in addition to investing in the right cybersecurity plan for your business, you must also invest time in incident response planning to mitigate risk should an incident occur.

Incident Response Preparation

Why do you need an incident response plan? There are several reasons. The most crucial reason is that your response can limit the scope and damage of an incident. A quick response limits how far into your network the cybercriminal is able to penetrate. Incident response planning requires you to consider the following factors:

Cybersecurity Audit

Preparing for an incident requires you to know where your highest risks lie. You can mitigate these risks to the best extent possible, but it’s more than just identifying gaps in your security. Your audit also allows you to identify the assets and data that are most critical to protect.

Put Actual People in Charge of the Response

Do not simply  delegate responsibility to random business titles or make a laundry list of  what needs to be done. Tag specific people to take responsibility for your response to an incident. From listing what specific actions will be taken and who is responsible for them to clearly delineating the chain of command and communication protocols, put real people in control.

Contain the Incident

This may be the most critical step of your incident response planning. How will you prevent the incident from getting worse? Which people need to be involved (internally and outsourced) to ensure that you limit the incident as quickly and effectively as possible? You and your IT team will need to take immediate steps to limit the attack by taking servers offline.

Focus on Your Backups

Make sure your cybersecurity plan includes offsite backup and data recovery so that you can shut down a breach and restore your data from an unconnected backup source. During an incident, attackers will often lock both your data and your backups, then ask for a ransom to regain access to that data. Having an offsite copy of your data can help prevent that from occurring.

Identify and Remove Vulnerabilities

Once you’ve stopped the immediate threat, you can then focus on identifying how the breach occurred and how to prevent it from happening again. Whether it was a link that was clicked on by an employee, a compromised password, a failure to patch in a timely manner, or an internal security issue, identifying and remedying the issue is crucial.

Notifying Customers

If an incident results in a data breach that was not sufficiently contained before consumer data was lost, notification should be immediate. Not only do you need to notify your customers but also local authorities and, potentially, the FBI. There is no reason to withhold notification; in fact, the sooner you notify your customers, the better. Ohio businesses that have a proper cybersecurity framework in place will have safe harbor.

You can count on thinkCSC to help you minimize the impact of global threats with continual monitoring and threat detection. Some of the services we offer to strengthen your infrastructure include vulnerability scanning, internal and external penetration testing, web app penetration testing, security assessments, policy development, and security awareness training. Contact us to learn more.