Prudent business leaders and risk managers understand that identifying, protecting against, and detecting risks are necessary, albeit fallible, actions to mitigate a complex world full of threats. As we have seen from prior posts, cost, time, and resource tradeoffs exist in every business. Hackers are creative and humans are, well, human. That is why step 4 of the NIST Cyber Risk Framework, Respond, is so crucial. A threat may make it through your cybersecurity layers “sandwich.” It’s best to be prepared.
Whether or not your people stay productive, your enterprise remains running, and your data stays safe is the result of an effective response to the threat. Respond is often misconstrued as the “easy” part of cybersecurity. After all, you’re paying for IT “support” and they’ll be there to “respond” to any security incident, right? Your current IT may definitely respond, but don’t assume that they are prepared to respond properly.
Every cybersecurity event is unique. Entering an event with a cavalier “been there, done that” attitude can lead to overconfidence and the premature application of a “fix” that potentially makes the situation worse. We have seen this happen all too often. For example, one company was hit with a ransomware outbreak. The IT person started to fix things by removing the ransomware which broke the server. The company’s systems went down and the data was lost. Only then did IT realized that the backups had been failing for months and there was no recent backup that could be used to recover quickly.
The response must be a thoughtful and proper response based on the specific threat and actions laid out in a proactive Response plan.
In the NIST Respond step, we:
1. Review the Response plan with the appropriate policies and procedures to ensure a prompt response to a cybersecurity incident.
2. Involve the Technical and Strategy teams to analyze the situation, communicate, and eliminate the threat.
1. Review the Response plan
The IT team you are expecting to respond to a cyber incident needs to have a plan in place. No plan means panic, a fire drill, and an IT-cowboy mentality that shoots from the hip hoping it works. That’s not a good place to be when you really need to get things under control and fixed right away. You want to know how you are going to respond before you need to actually do so and the comfort that your IT team is prepared to respond when needed.
The first part of our plan is to determine who the right people are to have on the team that will address the incident. We have specifics roles to assign – communication, technical, and client management. The assigned technician immediately starts diagnosing the problem in a systematic manner, including the threat’s AND the solution’s impact on the users. The client manager is involved to ensure that the issue is handled correctly and that stakeholders inside and outside the organization are communicating. Communication is often more important than fixing the problem. Having one person fill all 3 roles is a fail.
2. Involve the Technical and Strategy teams to analyze the situation, communicate, and mitigate the risk
Waident has a systemic approach to troubleshooting in our Critical Incident Response Plan for any cybersecurity breach. The first thing we do is communicate. We communicate with the Waident team, the client, and 3rd parties as needed. While communication is happening, the assigned technician(s) are analyzing the situation develop action steps to mitigate and fix the incident. The plan is shared with both our internal team and the client. Communication continues until the situation has been resolved. After determining that the technology is back to normal, we confirm with the client and users that everything is working as expected.
However, we don’t stop there and call success. We ensure that the hackers are completely out of the network and not lying dormant in the system like a Trojan Horse waiting to launch a second attack inside the system. We conduct a post-mortem to uncover and communicate the details of how the breach happened, its root cause, and how it might be prevented in the future. This process is done in the final phase of the NIST framework, Recover, which will be our next post.
Conclusion: Responding to Cyber Risks in SMBs Using the NIST Framework
Even with strong layers of cybersecurity protection and detection in place, there are inevitable security breaches that could not be blocked. At that point, you will need to respond to the incident. A proper response will keep the threat from escalating into a fiasco, causing extended downtime, and putting your business and its reputation at risk. Ultimately, an SMB can “respond” to a cybersecurity incident or it can Respond to a cybersecurity incident. The difference is responding like a shoot-from-the-hip IT cowboy or a cool-as-a-cucumber IT team with a systematic plan.
You really need an IT team with a plan to Respond before you need to.