Since regional enterprises are continuously facing the possibility of cyber security incidents and breaches, it is important for them to raise their levels of readiness and preparation, through well-defined plans and processes, explains Biju Unni, Vice President, Cloud Box.
It is now well established that regional enterprises, small, medium or large, need to manage the eventuality of when they will be breached rather than, if they will be breached. Reacting to a cyber incident plunges an enterprise into a damage control mode and the extent to which the enterprise reacts depends on the severity of the cyber incident.
The more rigorous is the preparation of the enterprise to manage the cyber incident the more likely that it will be able to combat the cyber threat. While defending against any cyber incident requires skill, expertise and technology, it can be managed, and everything depends on the preparation efforts made by the enterprise.
Enterprises need to prepare, assess, and practice a cyber incident response plan that concludes with a recovery process. In the absence of this, well-rehearsed and practised, cyber security incident response plan, a Chief Security Officer would find it challenging to explain to the board, top executives and customers, why the organisation was not prepared to defend itself.
Corporate compliance around disclosure of cyber incidents means that publicity of the incident will eventually take place in media. It is for this reason that regulators, auditors, and stakeholders except enterprises to have a well-established cyber incident response in place to protect the impact on the corporate brand’s reputation, as well as the impact on employees, customers and shareholders.
According to the 2023 Thales Data Threat Report, 51% of global organisations did not have a ransomware incident response plan. The imperative for enterprises is therefore to prepare a well-documented and well-rehearsed response plan for various types of incidents.
There are three primary stages for developing a cyber incident response plan.
- Building a response process
The response process for a cyber incident should be documented and described in detail. This process will name a coordinator to ensure the process is rolled out sequentially, a grading of severity, and escalation paths in case of delays or failures.
Grading the incident by severity is an important part of this process and can use the area of impact as a guide, including whether the incident can impact safety, privacy, finance, reputation, data, operations. Cyber security administrators may use internal levels of severity such as low, medium, high and whether it is a crisis or not.
Each of these category levels generates a unique process for response and a minimum escalation path. They also define the stakeholders who need to be informed and the service level agreements that need to be in place for remediation. Documenting the process with stakeholders and end users helps to build a joint team effort towards containment of the incident.
- Detailed response plans
While building a generic response process to manage any type of cyber incident based on its severity is useful, it is also important to develop detailed response processes for specific types of incidents. Ransomware is a typical such incident that is commonly prevalent and capable of disrupting operations and is therefore a high impact and severe cyber incident.
The most important criteria here is to identify the point of attack and reduce the amount of time from the moment of attack to the point of containment, while limiting the disruption to business operations, through well-built recovery and fail-over operations.
A typical cyber incident response plan for ransomware will identify and isolate the breached end points, will reset breached end user credentials, will analyse the incident and classify the ransomware attack and malware, and finally catalogue and document all indications of the breach.
Ransomware impacts the enterprise horizontally and vertically and the Chief Security Officer needs to collaborate with all stakeholders to build specific business and operations recovery plans.
- Scenario simulations
The last stage is to realistically simulate a cyber incident and get all end users and stakeholders to react as per the detailed response processes and operations that have been documented and made available. These simulations must include decision makers and top executives.
During the simulation, end users are alerted that a cyber incident has occurred, and its impact is simulated, for example loss of access to data or networks or specific applications or group of end users. As the simulation progresses, the various stakeholders and end users are alerted to the progress of the incident and are meant to react as per the defined processes and operations.
No advance information is provided to the end users and stakeholders about how the simulated crises will unfold and this uncertainty and their ability to take charge and react towards incident containment, begins to match typical real-life scenarios.
Real life cyber incidents are characterised by high levels of uncertainty and a continuously evolving situation that is best tackled by well-defined processes, responsibilities, and enterprise wide, group simulations. Better the preparation, the more likely that the incident response plan will progress satisfactorily.
Image Credit: Cloud Box
