Know Your Risks to Better Prepare Your Response

Cybersecurity risk can come in different disguises and it’s important to recognize the types of threats and incidents your organization is likely to face. Not only will this help you better plan for event response, but it can also help guard against these threats altogether. This brief primer explains the top 9 types of risks and how to respond to the most common associated events, including the fundamentals of an effective and comprehensive cyber incident response plan.

What are the different types of security threats SMEs face right now?

Small and medium-sized enterprises (SMEs) face varied cyber risks in today’s digital landscape that can result in various types of breaches that impact cybersecurity, including data breaches, identity theft, financial losses, reputation damage, and legal and regulatory consequences. They include:

1. Phishing Attacks: Fraudulent electronic communications attempting to obtain sensitive information such as usernames, passwords, and credit card details by disguising the sender as someone trustworthy.
2. Malware: Malicious software designed to disrupt, damage, or gain unauthorized access to computer systems. These include viruses, worms, Trojans, ransomware, and spyware.
3. Insider Threats: Employees, contractors, or business partners misusing their access privileges to steal data, sabotage systems, or engage in other malicious activities.
4. Ransomware: A type of malware that encrypts files on a victim’s computer or network, rendering them inaccessible until a ransom is paid.
5. Social Engineering: Manipulating individuals into divulging confidential information or performing actions that compromise security, often through techniques like pretexting, baiting, or tailgating.
6. Distributed Denial of Service (DDoS): Overwhelming a targeted system with a flood of traffic, making it unavailable to legitimate users.
7. Supply Chain Attacks: Targeting vulnerabilities in third-party vendors or partners to gain access to a primary target’s network or data.
8. IoT Vulnerabilities: Exploiting security weaknesses in Internet of Things (IoT) devices such as smart thermostats, cameras, and appliances.
9. Misconfiguration: Improperly configured systems or cloud services that leave sensitive data exposed to unauthorized access.

Knowing the types of attacks to be prepared for is the beginning of a good incident response plan, but it’s just as important to identify an attack as it’s happening. Phishing is one of the most common and easy to identify if you know what to look for.

What is a common indicator that a phishing attempt is taking place?

The clearest indicator of a phishing attempt is unsolicited or unexpected emails, messages, or phone calls that:

• Request personal information
• Contain suspicious links or attachments
• Create a sense of urgency
• Come from unknown or unverified sources
• Contain grammatical or spelling errors
• Redirect to unsecured websites
• Request unusual actions
• Use mismatched or generic greetings
• Contain unexpected attachments
• Use threats or intimidation

Now that you know what to look for, we can start making a plan.

How should organizations go about developing a data breach response plan?

To effectively manage and mitigate the impact of security incidents, organizations can follow these steps to lay the groundwork for creating a plan:

• Establish a cross-functional team of key stakeholders from various departments such as IT, legal, human resources, public relations, and senior management. This team will be responsible for developing and implementing the plan.
• Identify potential threats and vulnerabilities that could lead to a data breach. This includes assessing the organization’s systems, networks, and data storage practices.
• Define the roles and responsibilities of team members in the event of a data breach. Designate individuals to lead the response efforts, coordinate communication with stakeholders, and manage technical aspects such as forensics and incident response.
• Develop incident response procedures such as steps to contain the incident, assess the impact, and recover affected systems and data. This should include protocols for notifying relevant authorities, such as regulatory bodies or law enforcement agencies.
• Establish communication protocols for informing internal stakeholders, such as employees and management, as well as external stakeholders, such as customers, vendors, and the media. Determine who will be responsible for drafting and approving communication messages and ensuring they are clear, consistent, and timely.
• Implement training and awareness programs to educate employees about the importance of data security, how to recognize potential security threats, and the proper procedures to follow in the event of a data breach.
• Test and update the plan regularly through tabletop exercises or simulated drills to identify any weaknesses or gaps in the plan, and update and refine the plan as necessary to ensure its effectiveness.
• Document everything, including incident reports, response actions, communication records, and lessons learned from previous incidents.
• Ensure compliance with regulations, such as GDPR, HIPAA, or industry-specific regulations. Stay informed about changes to these regulations and update the plan accordingly.
• Establish relationships with external partners, such as legal counsel, forensic experts, and incident response firms that can assist in the event of a data breach.

What should be included in a cybersecurity incident response plan?

A comprehensive cybersecurity incident response plan should include the following key components:

• Introduction and overview, including the purpose and objectives of the incident response plan, as well as the scope of incidents it covers.
• Roles and responsibilities, including individuals’ respective duties and authority levels.
• Contact information for key stakeholders, including members of the incident response team, senior management, legal counsel, IT personnel, and external partners such as law enforcement agencies, and regulatory bodies.
• Detection and reporting procedures, including methods for monitoring systems and networks for suspicious activity and mechanisms for employees to report incidents promptly.
• Assessment and classification of cybersecurity incidents based on their severity, impact, and potential risk to the organization’s assets, operations, and reputation.
• Response actions that detail the steps to be taken in response to different types of cybersecurity incidents, including containment measures, evidence preservation, communication protocols, and coordination with internal and external stakeholders.
• Communication plan with protocols for notifying internal and external stakeholders about cybersecurity incidents, including who should be informed, when, and how. This should include guidance on communicating with employees, customers, partners, regulatory authorities, and the media.
• Evidence collection and preservation guidelines related to cybersecurity incidents, including forensic analysis and chain of custody procedures.
• Containment and eradication procedures, including isolating affected systems or networks, removing malicious code, and restoring affected services to normal operation.
• Recovery and restoration steps, including restoring data from backups, repairing or replacing compromised systems, and implementing additional security measures to prevent future incidents.
• Lessons learned and continuous improvement mechanisms for conducting post-incident reviews and analysis, such as identifying areas for improvement, and opportunities to strengthen cybersecurity defenses.
• Regulatory and legal compliance information such as legal requirements, and industry standards governing cybersecurity incident response (i.e., GDPR, HIPAA, or PCI DSS).
• Training and awareness programs for employees to educate them about cybersecurity risks, their roles and responsibilities in incident response, and how to recognize and report security incidents effectively.

How should businesses respond to the following incidents?

Data Breach

• Containment: Immediately isolate the affected systems or networks to prevent further unauthorized access and data loss.
• Assessment: Conduct a thorough investigation to determine the scope and nature of the breach, including identifying the compromised data and how the event occurred.
• Notification: Depending on the severity and regulatory requirements, notify affected individuals, customers, partners, and relevant authorities about the breach promptly.
• Remediation: Take steps to remediate the breach, such as patching vulnerabilities, improving security controls, and implementing measures to prevent similar incidents in the future.
• Monitoring: Implement continuous monitoring and surveillance to detect any further unauthorized activity or attempts to exploit the breach.
• Communication: Maintain transparent communication with stakeholders throughout the response process, providing updates on the investigation, remediation efforts, and any actions taken to prevent future breaches.

Ransomware Attack

• Isolation: Immediately disconnect infected systems from the network to prevent the spread of ransomware to other devices.
• Assessment: Determine the extent of the ransomware infection, including identifying affected systems and encrypted files.
• Response: Decide whether to pay the ransom or restore from backups, considering the importance of the encrypted data, the reliability of the ransomware decryption tool, and legal and ethical considerations.
• Recovery: Restore affected systems and data from backups, ensuring they are free of malware before reconnecting them to the network.
• Prevention: Implement measures to prevent future ransomware attacks, such as regular backups, employee training on recognizing phishing emails, and deploying endpoint security solutions.
• Reporting: Report the ransomware attack to relevant authorities and law enforcement agencies, especially if personal or sensitive data was compromised.

Phishing Attack

• Detection: Immediately identify and flag the phishing email or message to prevent recipients from falling victim to the scam.
• Education: Provide training and awareness programs for employees about the dangers of phishing attacks and how to recognize and report suspicious emails.
• Containment: Take steps to contain the phishing attack, such as blocking the sender’s email address, disabling any malicious links or attachments, and updating email filters to prevent similar attacks in the future.
• Response: If sensitive information was compromised, take appropriate action such as changing passwords, monitoring accounts for suspicious activity, and notifying affected individuals or authorities.
• Prevention: Implement technical solutions such as email filtering and authentication protocols to reduce the likelihood of future phishing attacks.
• Analysis: Conduct a post-incident analysis to identify any gaps in security controls or employee training that may have contributed to the phishing attack, and implement measures to address these weaknesses.

In all cases, maintaining clear communication with stakeholders, documenting the incident response process, and continuously improving security measures are essential for effectively responding to and recovering from security incidents.

You don’t have to create your plan alone. Learn more about preparing for cybersecurity incidents with the support of a NetDiligence-authorized Breach Coach^®, an industry expert who can guide your response from planning through execution.