Five steps to cyber resilience
– a cyber resilience plan for every SME and mid-market sized organization
Cyber advice is easy to come by for every business, but it’s harder to decipher what aspects of that advice are relevant for you as an SME or mid-market sized company.
That’s why we have developed this five-part special series to offer much more than a list of arbitrary tips that might or might not be relevant.
Over the next five blog posts, we will look at the bigger picture for your organisation and detail key actions rooted in the National Institute of Standards and Technology’s (NIST) cyber security framework.
By working through these key areas, we believe that by drawing on both our own experience in helping businesses build their own cyber resilience and the expertise of some of the leading cyber security practitioners, we can help you work towards achieving cyber resilience for your business.
The five areas of focus for Five Steps to cyber resilience for SME’s and mid-markets are:
- Identify – Understand your environment and overall cyber risk
- Protect– Implement appropriate safeguards to contain a cyber security event
- Detect– Maintain visibility into your network so you can detect intrusions
- Respond – Assume a breach will happen and have a plan in place
- Recover – Business interruption is the greatest risk; access experts to recover quickly
Step 4: Respond | Assume a breach will happen and have a plan in place
In our blog series ‘Five steps to cyber resilience’ we’re reviewing the five functions within the NIST Cyber Security Framework (CSF). We have already covered the first three functions: Identify, Protect and Detect and for this post we offer tips and advice around response to a cyber security event through the ‘Respond’ function.
No organisation can ever be truly ready for a cyber-attack, but preparation for the immediate aftermath can make a significant difference to the initial impact and long-term outcome. In the event of a cyber-attack, a coherent, tested and holistic response strategy can mean the difference between an organisation holding its nerve or going into complete meltdown.
NIST describes the Respond function as “including appropriate activities to take action regarding a detected cyber security incident.” Ensuring that the Respond function is correctly established gives the best chance of containing and minimizing the impact of such attacks. That starts with having a plan, ensuring it is tested and can be quickly deployed, and importantly – setting out responsibilities in such an eventuality. Delay in implementing response plans and mitigating associated risks creates a window of opportunity for hackers to operate and further exploit the situation, handing them an increased chance of taking advantage of vulnerable entry points and succeeding in their attack. Hackers can paralyze your business with ransomware demands, take down critical systems, or target sensitive and valuable data assets, including your intellectual property and customer data. Once you have been breached, the attackers can quickly move across your IT network and systems gathering and ex-filtrating that data to be used for further fraudulent and criminal activity.
There are four phases in the Incident Response Lifecycle defined by NIST; Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident Activity. Below we look at each of these, providing tips and recommendations for implementation in your business.
Preparation; fail to prepare, prepare to fail
The NIST Framework, within this Respond function, requires that response processes and procedures are executed and maintained in order to ensure a timely response to detected cybersecurity events. As Benjamin Franklin once said, “fail to prepare is to prepare to fail’ and response planning is all about knowing what to do after the detection. This involves having a robust, tested process, knowing who does what, whom to notify and how to initiate the response plan. Those tasked with responding must know the plan and be positioned to take action to stop the incident and minimize business interruption.
Detection and Analysis; reading the signs
In this phase, you need to look at the indicators that an attack has already happened or is occurring right now. This should be aligned to your wider risk and security operations with tooling configured to alert accordingly. Such indicators could include alerts from your antivirus software alert or vulnerability scanning tools, such as CyberScan. An increasing challenge is that these alerts and scans can often produce false positives, alert on the right information or scenarios and not be indicative of an ongoing attack. It is therefore critical to have the ability and resources to analyse these signs and determine what’s really going on. A common mistake is to act without such analysis, attempting to shut down activities and wasting time chasing down log events that turn out not to be an incident. For that reason, your Incident Response team needs to develop the right tooling, processes and playbooks to enable the analysis of attack method, so called ‘attack vectors’ in order to properly categorize and prioritize various events. It is important that your team reviews the NIST Cyber Security Framework as it gives excellent guidance in terms of making such categorization based on functional or information impact, as well as recoverability.
Containment, Eradication, and Recovery; putting out the fire
This is the phase where the response team, having gathered the information and gained an understanding of the incident, tries to contain, combat and recover from the threat. It typically involves taking action to prevent further damage, such as disabling network access for infected computers, closing ports, isolating traffic or blocking IPs. Depending on the type of incident, there may also be a need to implement immediate action such as resetting passwords for users with accounts that were breached, or block accounts of insiders that may have caused the incident. Many incidents involve responding to malicious software, such as ransomware, viruses or trojan horses, designed to cause damage, steal data or make extortion demands. A recent 2019 UK Government Report 1 showed a third of businesses had a cyber security breach or attack in the prior 12 months with malware, including ransomware attacks impacting 27% of these businesses.
In recovering from such incidents, it’s important to maintain backups of the impacted systems, have appropriate and risk-driven business continuity plans and to review and update incident playbooks which allow your business to preserve evidence for further forensics or legal cases should this be required. Careful decisions need to be made around service restoration with two critical requirements:
- Carry out system/network validation and testing to certify all systems as operational.
- Re-certify any compromised component of the systems as both operational and secure.
Post-Incident Activity; applying lessons learned
Post-incident activity is the postmortem that helps determine what happened, why it happened, and applying the lessons learned so that you can prevent it from happening again. It should include all relevant stakeholders conducting a detailed review that results in documented updates to security procedures and if necessary, business practices, with a clear objective to lessen the impact of such incidents in the future. Reviews should be based on the collected incident data, rather than emotional finger pointing and focus on identifying the exposed areas of weakness whether that’s deemed to be human error, systems failure or shortcomings in security practices. Equally important is to assess the effectiveness of response and to determine if incident response plans provided for sufficiently quick and appropriate action, with everyone involved knowing their roles and responsibilities. Following the post-incident review, there may be clear actions to be immediately taken such as specific staff training or changes to delegation and authority for future emergencies. It is important each of these is carefully considered and feeds into constantly evolving business and technology plans.
Have you tested your response process? Usually this is done in what is called a ‘table-top exercise’. Learn more here: https://aon.com/cyber-solutions/solutions/cyber-threat-simulations-tabletops/
In our next post in this series we’ll cover the Recover function helping you to understand:
- Picking up the pieces with a Recovery Plan
- Building the playbook to restore business function
- Protecting your balance sheet and recovering more quickly
CyQu (Cyber Quotient Evaluation) from Aon is an award-winning cyber risk assessment platform. Learn more.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.