It’s not a matter of if your organization will experience a data breach, but when. The 2022 Thales Data Threat Report found that more than half of all organizations (52%) had experienced a breach – and that’s only the ones that have been discovered.
While many organizations are making progress with best practices around cloud data protection, encryption, and zero trust policies, they don’t always have a formal policy in place to deal with cybersecurity incident response. For instance,Thales found that only half of companies with revenue over $1bn have a formal plan in place to deal with a ransomware attack.
It’s crucial to take proactive measures to mitigate the risk of a cybersecurity attack – but when it happens, it’s just as important that you’ve run through all the fire drills you need to be confident that you can extinguish the flames as quickly as possible.
By investing in building an incident response plan now, you'll pay less later in terms of wasted time and resources. Here are some guidelines for setting up your strategy.
Understand the need for a systematic incident response plan
In the aftermath of a “boom”, or cyberattack, organizations often have a disconnect in understanding who’s responsible for managing the process of recovery and flow of information.
It’s a chaotic time when things are broken into and destroyed, and there's information that you need from disparate parties and places. As you go through this incident response process, you're essentially running around the barn with your hair on fire looking for all of the farm tools that someone stole, while the foxes are still roaming around looking for livestock to kill.
The disconnect that I’ve consistently found in my work with cybersecurity incident responses is that the board sometimes starts asking questions to the CISO or CEO, but they don't know where to get the information, or how to engage the internal and external experts who can help them with that process.
You don't just need people from within your own organization to play ball. You need to engage with a mix of different organizations including government organizations, but also private contractors who you pull into the mix when you have these problems. In order to have the best chance at recovery, you should set up a plan with all of your stakeholders before you get hit – not after.
Build a customized incident response playbook
Companies have a lot of siloed knowledge when it comes to dealing with a potential breach: “this is who I call when this happens,” or “this is the data that I need at this point in time.”
So how do you get all of that information in one place, so that you can easily have something to turn to in order to take a planned and structured approach to dealing with post-boom exercises?
This is an opportunity to bring together all of your institutional knowledge around cybersecurity incident response, including the knowledge that you gather in tabletop exercises, or in ad-hoc conversations with your counsel or insurer. By establishing a formal step-by-step process and building that into a program, it'll walk you through all the steps and all the people that you need to talk to when something goes wrong.
Your program can be customized based on your organization’s industry and the criticality of the attack. For example, if you run an organization that orchestrates a space mission, you would handle that much differently than a financial services agency. With the financial services firm, people might lose money – but the spacecraft, on the other hand, could explode.
Make sure that you have a plan in place that can help you prioritize your response based on the level of urgency you face and what’s at stake if you don’t respond appropriately.
Key benefits of an incident response solution
By automating your incident response plan with a technology solution, you’ll be prepared to put all your stakeholders and information assets in the ideal position to mitigate the severity of the attack. Key benefits of embracing an incident response solution include:
- Faster response and recovery time
By formalizing the chain of command within an incident response platform, you’ll be able to speed up decision-making to reduce losses in the aftermath of an attack. When you can understand who has authority to act, and what role each stakeholder plays, you can jump into action immediately, ensuring that you have authority to protect critical systems before they are further compromised, and that your organization can put its remediation plan into place effectively.
- A trusted platform for communications
When you get attacked, your entire system may be compromised. You may not be able to trust your email servers or your standard communication channels – how do you trust that someone’s not eavesdropping and trying to understand your next move? By using an out-of-band communications system for your incident response process, you can turn away from the mess that is unfurling on your system, and move to a platform that you can trust, with confidence that your attacker won’t be able to intervene or read signals from your behavior.
- Reduced fees associated with recovery costs
In the aftermath of an attack, organizations often spend millions dealing with the fallout, hiring legal counsel and business consultants to help them muddle through the recovery process. The city of Atlanta, for instance, spent $17 million to recover from a ransomware attack in 2018. While using a software solution won’t eliminate the need for legal support in the aftermath, it can help you systemize the recovery process and give clarity around how you can engage your team most efficiently and expediently – helping to save time and cut costs on consulting fees with a dedicated action plan.
- Reduced friction in determining liability
Whether it comes to court proceedings or the court of public opinion, it’s important to show that you did everything you could to both prevent and to mitigate the severity of the attack. With a software solution, you can easily showcase all the documentation of your action plan, demonstrating that you followed it to the best of your ability. That will help you build a strong defense and gain clarity around where blame should be assigned, so that your company doesn’t suffer undue reputation damage or legal liability.
Having consulted and delivered guidance on the product during its founding stage, I’m confident in recommending CYGNVS as a best-in-class incident response solution. It’s been engineered to help organizations handle the fallout from a cyberattack as quickly and efficiently as possible, helping them create a playbook that they can follow effectively to mitigate damage – even in the midst of chaos.
Prof. Gregory Falco has been at the forefront of space system and critical infrastructure security in both industry and academia for the past decade. Falco is an Assistant Professor at Johns Hopkins University’s Institute for Assured Autonomy and the Civil and Systems Engineering Department. He is the Director of the Aerospace ADVERSARY Lab at Johns Hopkins. He has been listed in Forbes 30 Under 30 for his inventions and contributions to critical infrastructure cyber security, is a Fulbright Scholar and is the recipient of the DARPA RISER and DARPA’s Young Faculty Award for work on building a zero-trust marketplace ecosystem for space systems. Prof. Falco serves as a member of the Department of Homeland Security’s Space Systems Critical Infrastructure Working Group and has been awarded contracts relating to space system security for AFRL, US Space Force, NASA and DARPA. He is also a Research Affiliate at MIT’s Computer Science and Artificial Intelligence Laboratory. Falco completed his PhD at MIT’s Computer Science and Artificial Intelligence Laboratory, Master’s degree at Columbia University and Bachelor’s degree at Cornell University.