t is time to say goodbye to the incident response plans of “cyber past” and welcome a new approach.
This is the word from Spiros Fatouros, Marsh Africa CEO, who says: “Incident response planning is one of the 12-cybersecurity controls that most cyber insurers ask Marsh clients about during the underwriting process. And rightfully so. Creating and testing a cyber-incident response plan before an incident occurs has long been a proven best practice.
“Persistent and pervasive cyberattacks underscore this need, whether they occur due to bad actors looking for economic gain or state actors working under political motives.
“As organisations that have experienced a cyberattack are learning, a cyber response is a complicated project to manage. Modern day cyber incident response plans should be refreshed, with a new focus that takes into account evolving forms of cyberattacks, such as ransomware, and the increased sophistication of cyber attackers,” adds Fatouros.
When developing or updating incident response plans, he says an organisation will be well served to incorporate new best practices, including:
- Host incident preparation response plans off-network in a location that can be safely accessed by all incident response team members – Time is a precious commodity when responding to an attack in today’s cyber threat landscape. Attackers will often enter a network and encrypt its data, making it impossible to access any pre-determined plans or time-sensitive contractual requirements, preventing the possibility of a rapid response. The ability to quickly access and execute the incident response plan can mean the difference between success and failure.
- Establish a secure, off-network, cyber “war room” and communication channel for incident response team members and external incident response vendors to communicate – Safe and secure communication is extremely important when responding to an attack. Any type of confidential information, including copies of cyber insurance policies, should not be emailed or shared on the corporate network. If the network is compromised, this information could fall into attackers’ hands and be used against your organization. For example, attackers that have located cyber insurance policies have been known to match their extortion demands with cyber policy limits, gained access to credentials, and/or attended incident response virtual meetings.
- Build and test response workflows for each type of incident to which your organization may be exposed – Incident response tools, resources, and protocols are not one size fits all. Responding to an incident is incredibly complex. For example, how an organization handles a ransomware demand should differ from the response to an accidental data breach. All incident response team members should thoroughly understand — and prepare for — their precise role during a cyber-incident.
An agile and modern cyber incident response plan works together with other critical information — such as clearly identified team members and a copy of the cyber insurance policy. When stored on a secure cloud-based platform outside of your organisation’s network, the plan can avoid slow response times and reduce the financial and reputational impact of a cyber-incident.