Incident response (IR) plans are designed to test your company’s ability to respond to a security incident. The ultimate goal is to handle the situation so the damage is limited to the business while reducing recovery time and costs.
A recent survey by a large insurer Nationwide, revealed that 79 percent of small business owners do not have a cyberattack response plan and 63 percent of them reported being victims of at least one type of cyberattack in the past.
It’s worth the time investment to plan out an incident response plan in advance of a cyberattack, assigning specific roles and responsibilities in order to mitigate the effects of a breach.
The questions for your clients and vendors should be:
1. How will you be ready?
2. How quickly can you detect and respond to contain the threat?
An effective incident response program should help an organization deal with ransomware, phishing, denial of service and other related attacks. This is the difference to spending a lot of money on an incident into something more manageable.
First, your organization needs a formalized written Incident Response (IR) plan that spells out who, what and how response will be carried out. As with all cyber-security plans (business continuity and disaster recovery plans), an IR plan must be tested periodically to ensure its effectiveness and it should be updated with lessons learned after every invocation of the plan. Running such tests keeps the IR plan updated, while also critically helping to identify and fix weak points in the business.
Do they have the technology that could recognize a breach? This could be a security information and event management (SIEM) system service like we deliver or a host of others including, Intrusion Detection Systems (IDS), network access controls (NAC), Endpoint security, file integrity checking software, operating system (OS) and application logs along with network and firewall logs.
IR plans must be revised frequently and especially as the company grows. Some of the other things to consider in your plan are:
- Who gets notified first in the case of an incident, and how they will be notified?
- Depending on what happened, how will your team contain the incident?
- Are you able to collect evidence?
- Is there an alternate environment your users can work from until the incident is cleaned up?
- Will there be a need for forensic investigation?
- What authorities will you contact?
- How can we make sure this will not happen again?
Communication is essential at all times for incident response, and it’s particularly important you have a communication strategy for how you are to alert third parties and, if appropriate, internal teams.
Once an incident is dealt with and contained, the last step an organization should take is to conduct a post-incident review and add lessons learned into a repository that is referenced for continuous process improvement.
ChannelSOC provides a managed SIEM solution with SOC capabilities and Incident Response Services to our partners, continuously checking for anomalous activity, ensuring that you’re continuously upholding your compliance requirements with a solution that’s always-on and proactively protecting you from cyber-attacks.