Cybersecurity Incident Response
In the first installment of our cybersecurity series, we discussed the importance of developing and implementing practical Information Security policies and procedures within your organization as well as the ethical and legal obligations you have to protect sensitive data within the organization.
In this installment, we’ll take a look at the role that developing and practicing a robust Incident Response Plan plays in not only preparing for a cyber incident, but in fostering a positive Information Security culture within your organization.
There’s an old adage warning that locks on doors are designed to keep honest people out. If a burglar is sufficiently motivated, a locked door serves as little more than a temporary setback. The same can be said of efforts to protect computer networks. An intruder with the right experience and resources will likely find a way into even the most fortified of networks. Having an incident response plan in place and training your employees on that plan is key to mounting an effective response to a cyber-attack when – not if – it occurs.
Cyber Incident Response is a formalized process for addressing cyber security events, incidents, breaches, and threats. A good Cyber Incident Response Plan is tailored to your organization and positions you to quickly identify, respond to, and minimize the impact of these occurrences.
By identifying specific group and individual responsibilities ahead of an incident, the confusion that often accompanies the immediate aftermath of a cyber event is minimized. Employees should know what to look out for and who to contact should they suspect a cyber incident has occurred. The first few hours (and minutes) following discovery of a suspected incident can make or break the effectiveness of your response and dictate whether you open yourself up to unnecessary legal risks and/or maintain privilege over important communications and investigation materials. As such, we highly recommend bringing in legal as early as possible.
Additionally, establishing a clear response protocol with specific benchmarks and objectives helps focus the Incident Response Team’s efforts. Cyber Incident Response Plans, moreover, must stay current to remain relevant and useful. Once a cyber incident has been resolved, gathering your Cyber Incident Response Team members to conduct a hot-wash helps glean valuable insights made during the response and identify opportunities to minimize or prevent similar incidents in the future. Update your Cyber Incident Response Plan to reflect these lessons learned.
But a Cyber Incident Response Plan is only helpful when it is utilized. To that end, your organization should not wait for a cyber incident to occur before pulling it off the shelf (hopefully not having to dust it off). Consider conducting a cyber incident response tabletop exercise or Legal Pre-Mortem to assess your organization’s response to a notional cyber incident. Keep it simple at first – there is no need to develop overly complicated scenarios. The objective is for participants to maintain familiarity with their roles and responsibilities in the immediate aftermath of a cyber incident, as well as how they should coordinate their response efforts with both internal and external partners.
Insights gained during cyber incident response tabletop exercises and Legal Pre-Mortems frequently include:
Individuals and groups are unclear about their specific roles, responsibilities, and authorities.
Key stakeholders are excluded from the Cyber Incident Response Plan.
Lines of communication are unclear – people are unsure of who they need to report to and keep updated.
Personnel changes and department reorganizations are not reflected in the Cyber Incident Response Plan.
New laws and reporting requirements are not included in the Cyber Incident Response Plan.
Effective incident response is a must for organizations in 2023. Companies should strive to develop a culture that encourages internal reporting and understanding of methods used in common cyber-attacks so that these occurrences can be spotted and addressed as early as possible. Members of the Incident Response Team (including legal) must be agile and educated on the types of sensitive data held by the organization, which will inform the investigation and dictate reporting requirements. Consideration also should be given to the appropriate time to notify law enforcement and/or customers where there may not be a strict regulatory requirement in place. At bottom, good incident response comes down to your people – frequent training and practicing potential scenarios can go a long way to minimize the stress and chaos that can often accompany a cyber incident; and help ensure your costs and potential liability are minimized.
Visit Part 1: Ethics & Compliance: Let’s Talk About Cybersecurity
Scot Huntsberry, an Investigations Specialist and Sheppard Mullin ABLE Fellow in the firm’s Washington, D.C. office, also contributed to this article.