With the prevalence of cyberattacks, cybersecurity experts will tell you it’s not a matter of if but when a cyberattack will hit your organization. When properly managed, a cyberattack can be squelched relatively quickly. However, without effective incident response, a cyberattack can spiral out of control.
We work with many organizations before, during, and after cyberattacks, and we find that most organizations recognize the importance of carrying cybersecurity insurance. Those same organizations often use at least minimal cybersecurity controls.
Alarmingly though, many organizations fail to develop and regularly test an incident response plan (IRP). An IRP can make the difference between a cybersecurity incident becoming barely a blip in operations or becoming a financial and public relations quagmire.
Not Having an Incident Response Plan
Our May blog post outlined how organizations can determine whether they need an IRP. If your answer to any of the following questions is yes, you should have an IRP.
Does my organization store or process data that would cause harm to an individual or group if leaked?
Does my organization store or process data that would cause harm to an individual or group if maliciously modified?
Does my organization store or process data that would cause harm to an individual or group if it became unavailable?
The primary reason for an incident response plan is to minimize the time it takes to move from discovery to recovery. And every second counts. Too many businesses fail to take basic steps in their incident response that cut their remediation and recovery timelines and minimize damage.
After detecting or receiving notification of suspicious activity, if there are delays while employees determine notification procedures or the incident response process, more systems could be affected, and the damage could be worse. Yet, more than 80% of organizations don’t have an IRP in place. They don’t even know what to do when they get hit.
Compugen regularly assists organizations with developing and testing their incident response plans. Grab our quiz to test the cybersecurity preparedness of your organization. The National Institute of Standards and Technology, a division of the U.S. Department of Commerce, also provides a comprehensive Computer Security Incident Handling Guide.
Not Conducting Frequent Reviews and Testing of Plan
Organizations with incident response plans in place may fail to review and test those plans frequently enough. Of the 20% of organizations that have an IRP, 20% don’t do adequate tabletop exercises to practice and inform employees on how to use it.
One of the most useful parts of an incident response plan is the list of contacts for discovering, monitoring, escalating, remediating, decision-making, and communicating during an incident. If that contact list isn’t updated or key team members are unaware of their roles during a cyber incident, incident response managers may waste valuable time at critical stages.
You need to regularly update roles and names that are critical to the plan. It’s difficult to effectively navigate an incident when you discover four of 10 people listed in the plan have left the company, and their replacements don’t know about the plan or their roles in incident response.
Waiting for an Attack to Select and Contract with Third-Party Partners
Some organizations have a shortlist of providers they might work within the event of an actual cyberattack. While this is a great step to take, evaluate whether you’d actually have time to reach out to a list of potential providers, schedule and conduct interviews, select a provider to engage, and confirm that the provider has the resources to immediately work with your organization while a cyberattack is underway.
It can take days and even a week to identify a partner and determine if insurance covers the cost of contracting with a third party. If you already have trusted partners in place and under contract, you’ll shorten your response time during a crisis.
Work with your partners to understand the scale they may be prepared to handle. For instance, if a cyberattack spreads across your organization, you will need a partner that can fix the number of machines likely affected in the time you need.
Also, be aware that companies you may contract with for detection and notification don’t often assist with recovery and remediation. You will need to understand the scope of services each provides under your agreement. For instance, your managed services contract with Compugen may cover the network or servers or both. If servers are out of scope, we can certainly remediate them under a new agreement.
When Compugen takes on responsibility for remediation, we resolve the issue, clear your systems of any malware, and get your employees back to working efficiently in a protected environment.
Not Building Third-Party Partners into Plan
Another common problem we see with incident response plans is forgetting to include all third-party providers who will assist with the response. Most, if not all, organizations work with outside partners to get through a cyberattack, and we highly recommend doing so.
Include information on each partner with contact information and scope of services in the IRP. Incorporate the cyber insurance policy into the IRP, including contact names and numbers for the insurance provider and level of coverage.
Cyberattacks are on the rise and frequently dominate headlines. Yet, countless cyberattacks never make the news cycle—some because cyber events are now so common they might not be newsworthy and others because the attacks were minimized through appropriate controls and effective incident response planning. Just because an attack doesn’t make the news doesn’t make it any less devastating to the company if the company doesn’t have cybersecurity insurance or an effective IRP in place.
Contact Compugen for assistance with creating or evaluating your incident response plan. Grab the Quiz:10 Self-Checks to Shore Up Your Cybersecurity to test the cybersecurity preparedness of your organization.