Author: Andreas Pafitis, Consultant, Cyber Security
There has been a significant noted increase in cyber-attacks throughout 2020, which in many ways – globally and technologically has been a year of significant change. Due to Covid-19, many organisations have had to adapt standard businesses processes and how technology is leveraged to continue business operations. This change in working has driven significant technological innovations (according to Gartner, 69% of Boards accelerated their digital initiatives in the wake of Covid-19 disruption) however, as with any change in the business model, it has also introduced new elements of cyber risk which must be considered to prepare should a cyber incident occur: is your 2019 incident response plan applicable in 2020?
Having an established incident response (IR) strategy that encompasses people, processes and technologies can mean the difference between managing a crisis and losing the fight against the attackers. This may be one of the reasons many businesses are considering the above question and taking the opportunity to improve their IR readiness.
In order to assist with such preparation, Aon recommends the following five key steps to help optimise IR planning readiness:
- Establish an incident response plan
Nearly nine out of ten (88%) companies reported in 2020 have only ‘basic’ or ‘initial’ incident response capabilities despite the continued rise in volume and scale of cyber-attacks. This indicates that insufficient planning is going into preparation and reflects the tendency some organisations have to follow informal, ad hoc processes and respond in a reactive manner. A simple starting point: if a business doesn’t have an IR plan, consider key risks and develop one. A well-documented, standardized and repeatable incident response plan outlining key roles and responsibilities should be in place to enact when needed.
- Test it. Review it. Update it
As above, if you have a plan it is important to consider how applicable it is to the current state of your business. A good way to assess this is to test it – and not in a time of crisis. An effective way to do so is through Cyber Threat Simulation Exercises with the relevant stakeholders which can be delivered at regular intervals and assess the efficacy of your plan.
- Understand your risks
An incident response plan should align to the wider security governance processes needed to support, define, and direct the security efforts of the organisation. An important aspect of security governance is risk management; identifying what the key risk factors and scenarios are to your business and then evaluating the strength of controls to protect against them. This can help understand the level of cyber risk and the prioritisation of mitigative and response measures.
- Understand the response stages
Having a clear understanding of IR processes – who does what, when, how and why can enable the efficient delivery and enablement of an IR plan. There are a number of frameworks which provide guidance on the IR processes (e.g. NIST or SANS) and additional activities to help this can be the development of incident categorisation models and even technical playbooks. When an incident occurs, a structured incident response workflow will help ensure a consistent and repeatable approach to incident management, and through regular improvement activities can enable a reduced time to respond resolve critical scenarios. IR plans, workflows and playbooks are a game-changer for incident response and have applications across the entire security function.
- People, process, technology
An effective IR process should consider elements across the business and how they are either impacted or can be leveraged for an IR process, this includes people, process and technology. Consider teams, capacity and expertise within your business: how will your people be impacted and how can they help. Tooling can be critical for detection, prevention and response, consider which tool is applicable for which use case and is it prepared to do the job? Processes and communication are an overarching theme and as with the other elements, making them consistent, repeatable and clear can be key. Robust processes and methodologies can assist organisations to deal with incidents faster, more effectively and in a consistent manner.
Incident response readiness is not just an IT issue
An established cyber security incident response capability should be considered in the same way that risk is: constantly evolving and changing with your business. To deliver effectively this requires collaboration from across business functions and importantly careful planning and ongoing review. Having a mature IR process not only helps businesses to respond when needed but can mean the difference between major business impact or business as usual in a time of cyber compromise.
 2020, CyQu, Aon’s Cyber Solutions
This is for information purposes only. Professional advice should always be sought regarding specific risk issues.