In Parts 1 and 2 of our blog series on incident response planning for Cybersecurity Awareness Month, we explored four steps to building an incident response plan (IRP), and also how to practice your IRP through various fire drill exercises.
Now you’re ready to put the plan into action when a moment of crisis hits—or are you?
In this final Part 3 installment, we leave you with the following data breach best practices to keep in mind when a cyber data breach or privacy incident occurs.
Do identify and confirm the type and severity of the incident.
Do ensure the person who has overall responsibility for managing the on-scene incident (also known as the incident response team leader) is aware and present.
Do notify the incident response team and convene a meeting.
Do access and execute your IRP via Breach Plan Connect® online or securely through your BPC mobile app which is particularly important to have if your internal systems are inaccessible.
Do know who your Breach Coach® is and ensure that they are covered by your insurance carrier. Let the Breach Coach® manage outreach to, and communication with, third-party vendors such as a forensics provider.
Do leverage third-party experts and providers approved by your cyber insurance carrier. This is important for cyber claims coverage submission and consideration.
Do notify your insurer to report a potential claim.
Do contain the damage, taking care to preserve forensic evidence.
Do develop an incident-specific communication plan with support by your Breach Coach.
Do determine, in consultation with your Breach Coach, whether notifications are required.
Don’t panic! You’ve planned ahead for this, right?
Don’t contact your trusted external incident response experts without your Breach Coach® there to guide you.
Don’t immediately contact regulators or notify people impacted by the incident until you understand the scope of the incident and your legal obligations.
Don’t discuss the incident with anyone unless directed by legal counsel.
Don’t directly engage with threat actors without the advice of specialists.
Don’t delete any files or disrupt evidence on the scene, which will be needed for forensic investigation, as well as any potential litigation or regulatory enforcement down the road.
Common Mistakes to Avoid
1. Relying on normal infrastructure for storage of an IRP and key response resources. “When you’re hit with ransomware or a denial-of-service attack, your network or cloud storage may be down,” says Sherri Davidoff of LMG Security. “As a result, your team springs into action—but can’t access contact lists, documentation, or key communications tools.”
SOLUTION: “Make sure your responders have access to a copy of your IRP and supporting resources, even when your normal infrastructure is down. To do this, you may want to identify an alternate cloud storage/communications platform. It may also be as low-tech as copying key information to encrypted external media and distributing that to key members of your response team. Whatever you use, make sure it fits your organization’s needs and risk profile, and that you actually test out your backup system before you really need it.”
2. Not accounting for late night/off hours. “According to a 2020 report by FireEye, 76% of ransomware attacks happened outside normal business hours. Criminals know that victims are often not as prepared to respond to attacks during these times—and they’re right. If you’re operating overnight with a skeleton crew, or you have an outside vendor handling your after-hours incidents, they may not be as experienced with your IRP as your 9-to-5 responders. As a result, they may make missteps or fail to escalate as needed.”
SOLUTION: “Make sure your IRP takes into account after-hours incidents. Documentation alone won’t solve the problem; run tabletop scenarios that contemplate after-hours incidents, and then take that to the next level and actually test your response processes outside normal business hours.”
3. Lack of buy-in from your response team. “All too often, when a cybersecurity incident arises, first responders skip steps that they feel aren’t important,” Davidoff says. “For example, in a recent ransomware case that we handled at LMG, the IT staff had deliberately chosen not to quarantine certain key systems even though the IRP explicitly called for it. The first responders did not agree with the plan— they felt it would be too impactful for business, and didn’t fully understand the risk of widespread infection. As a result, the ransomware spread far more than it would have if they had followed the plan.
SOLUTION: “Get buy-in from your first responders. People need to believe in the plan or it’s just another piece of paper in your office. Make sure your first responders understand not just what to do, but why.”
Complete the form below to download the 5 Tips for Activating Your Incident Response Plan tips sheet from NetDiligence.