Our recent blogs looked at the steps you need to take to guide your business through a cyber security incident that threatens to bring your organisation’s processes to a grinding halt. First up was preparation, then came detection, followed by the action plan, and here, we turn our attention to the follow-up and what you need to do once the dust settles.
Having prepared for, detected and acted upon a cyber security incident, it’s not enough to simply wipe your brow, make a quip about that being ‘a close one’ and then returning to business as usual. It is important to not just close off the event, but to learn from the incident and assess what future improvements to cyber security practices you need to implement.
You need to understand how and why the incident happened in the first place, what the details of the event were, when exactly each stage of the intrusion or attack took place, and who was involved in the exposure, detection and handling of the incident. This will not only be a useful referral document should a similar incident occur, it will also give you insights into the steps you need to take to prevent your organisation from being vulnerable to more incidents.
The Incident Report
Just as comprehensive documentation at the preparation stage and activity logs during the action stage help you deal with a cyberattack from malware or ransomware, or the loss or theft of data, you need to keep records of exactly what happened throughout the cyber security incident so that you can review your response and consider future improvements that will prevent more such incidents.
The data you gather regarding the incident and its impact will help evaluate how effective your response plan is, how it might be improved, and what IT budget you need to assign to further protection and response.
Highlighting where shortcomings in security software and best practices were revealed, and what steps were necessary to fix vulnerabilities, gives you a clear overview of the upgrades and improvements your company needs to invest in.
The following should be considered when reporting on the incident:
- The date and time of the incident – logs should be able to provide information on when the intrusion, attack or data loss occurred
- The type of incident – was it a case of malware or ransomware, or one of data loss due to a breach in security protocols?
- The cause of the incident – were the company’s firewalls or cyber security software inadequate to deal with hacking, did a team member open or download a suspicious file, or was sensitive information lost?
- The location of the compromised systems(s) or device(s) and their function – did the incident stem from a mobile device, an in-house server or on a cloud server?
- Detection details – did the security software identify the threat, or did a team member notify IT support of noticeable changes in functionality within the IT infrastructure?
- Steps taken – what exactly was done to contain and deal with the security incident? This should include details of all tickets raised with IT support and all actions taken according to the response plan
- Response team involvement – who was involved in solving the incident
- Evidence collected from the detection and eradication of the incident – did the business identify the source?
With all of this information gathered, the CTO or whoever is in charge of overseeing the report can assess whether the business has followed proper protocols, and whether improvements need to be made, and can outline their findings in a review of the incident.
The Incident Review
With the report in hand, call together all relevant personnel responsible for any part of the incident response plan, and review every step of the process. Like any post-mortem, this should be done as soon as possible after the event, and should raise some of the following questions:
- Was the cyber security incident response plan followed by everybody involved? If not, you need to ask why.
- Where did the process break down? If it was followed properly and the organisation still found handling the incident to be difficult, what can be done to improve this process to make it more streamlined and effective in future?
- Was the incident detected and communicated in time to act upon it with minimum disruption to business activities? If not, what could be done to improve this process?
- Did any part of the response plan actually inhibit detection or eradication, or the recovery process? What were the reasons for this? For example, did the decision not to shut the network down completely lead to malware taking further hold of the company’s systems and devices? What can be learned from this?
- What improvements need to be made to bolster the cyber security of the organisation and avoid similar incidents? Is the cyber security culture in the organisation adequate, and if not what can you do to educate staff on best practices and policies?
- Are there any indicators of the incident that were missed? If so, what do we need to implement and invest in so that these can be better monitored to detect future incidents?
- Did the organisation have the necessary tools, software and IT support in place to handle the cyber security incident from the detection to resolution stages? If not, is a security audit required to reveal what additional resources and assets the company should invest in?
- If the incident was handled by an in-house IT team, would they benefit in the future from having the help of an outsourced IT support service with expertise in cyber security?
Documenting the incident from start to finish, outlining what happened, what effect it had, how it was handled, and what the end result was, means you will have a detailed outline of what can be done should a similar incident arise that requires the same procedures.
This review should be shared with all relevant stakeholders, including at board level, highlighting what the incident entailed, how it was managed, as well as where it went according to plan, or was found wanting.
Continue to Man the Fort
Just because a cyber security incident has been resolved, it doesn’t mean you can afford to relax. Cyber threats are always there lurking, trying to find a way into your systems and waiting to pounce, so make sure your organisation continues to implement all security best practices and your IT continues to monitor all activity closely, paying particular attention to activity that indicates similar threats to the one you just got rid of.
You should also consider whether your organisation was the victim of a targeted or random cyberattack. If the attack was focused on your website, it could have been targeted, but if it was the result of a team member simply falling prey to phishing, the attack was probably random. Either way, knowing this will help inform you of the measures you need to take to make sure it doesn’t happen again.
Act on Your Findings
Based on your findings from the review, your organisation needs to decide on what is needed to strengthen your online defences. While unpleasant, and potentially threatening to your business, a cyber security incident should be seen as an opportunity to improve and learn from your mistakes.
Whether that means increased staff education on cyber security best practices, a review of your IT resources, a review of your outsourced IT partner’s abilities, an upgrade to your current cyber security software, or adding to your IT budget, the results of the incident should be a clearer idea of what your organisation needs to stay ahead of cyber threats and keep things running business as usual.
As certified GDPR practitioners, the team at Optimity are experts in cyber security. We can help you build an effective cyber security incident response plan, and advise on and implement the software and best practices you need to keep your business safe from attack.