Putting your incident response plan into action

Over a third of organisations think they’ll be affected by cyber crime in the next two years. It’s considered the greatest threat to business growth by Australian CEOs yet only 37% of organisations globally have a cyber response plan.

How prepared are you in case of attack? In part one of this series, PwC’s cyber security partner Andrew Gordon looked at what’s needed to set up an effective incident response plan. Here, he lays out the next steps once a threat is detected.

With cyber attacks growing both in frequency and sophistication, organisations need to be prepared for the worst. Responding effectively to a cyber security breach relies on having a comprehensive incident response plan – I’ve outlined how to go about this in my previous article.

However, it’s no good just having the paperwork in place. Rehearsals in advance and swift action in the actual event are keys to success.

When a threat is detected

Detecting intruders and recognising cyber attacks is something the whole company needs to be across, not just IT. The sooner an attack is noticed, the less damage it is likely to wreak, so it’s wise to put together some advice and guidelines about what staff members should be looking for and what they should do if they do notice something.

With your incident response plan established, communicated and rehearsed, dealing with a breach when it occurs should be a much more orderly affair.

Your response will need to include the following steps:

1. Neutralise the threat as quickly as possible

Depending on what your attacker is likely to want to do, this might involve quietly changing passwords and moving sensitive files to different locations or taking them offline, and is ideally done as quickly and quietly as possible so as not to alert the attacker.

Being able to make the rapid decisions required to respond to an emergency is why the response team needs executive representation. Having to wait around for managerial approval can only increase risk.

2. Start collecting evidence

Using the tools you have available, start collecting information and evidence about your attacker in accordance with your plan for its proper collection and preservation.

It’s important to have the right tools for the job at your disposal. PwC’s security team makes use of specialised network analysis and forensics software produced by Tanium; however, there are a number of tools available – both commercially and in the public domain – that are used to great effect. The key, as always, is familiarity with your chosen solution.

3. Limit reputational damage

It’s at this point that your controlled disclosure plans come into effect. Depending on your industy, there may also be requirements to inform regulators early of any incidents; for example, corporate regulators might need to be told about any incidents that could affect long-term shareholder value, which can be the case when there has been a loss of Intellectual Property.

4. Invoke your business continuity plans

Having business continuity plans in place that address all attack situations, from the very mild to the absolutely catastrophic, will ensure that everything required to keep the business running is known and accounted for.

An effective response is a team effort

If you want to be ready and able to deal with a security incident, the whole plan is going to need to be embraced as an organisation-wide issue – not just something for the IT team. Severe attacks can easily necessitate a response from multiple departments and at all levels in an organisation’s hierarchy, so this is something everybody needs to be across.

Ultimately, it’s about the mindset and knowing that it’s not a case of if, but when you will experience a security incident and have to mount an effective response, so it pays to start preparing now.

And, while we see it happening time and time again – burying your head in the sand is about as effective as it sounds. Willful ignorance serves not only to attract the ravenous interests of cyber criminals, but will prevent you from achieving the preparedness to respond effectively to an attack in a way that minimises damage to your organisation.