When it comes to cyberattacks, enterprises have traditionally focused security controls around prevention. Naturally, prevention is the first objective, but recognizing that 100% prevention is impossible, security controls in the detection and response groups are receiving increasing consideration. Organizations can fail if there are inadequate or no incident response plans in place. The “six-Ps” mantra clearly applies: proper preparation and planning prevents poor performance.
The NIST cybersecurity framework categorizes controls in five groupings: identify, prevent, detect, respond, and recover. Respond and recover receive a great deal of attention when high-profile security breaches happen (e.g. the UK government Cabinet Office in December 2019), and an organization’s reputation might well dive or thrive based on how well it does this. In recent examples, British Airways arguably did a great job whereas perhaps Equifax did not.
Not every security incident and breach is malicious; some might be accidental or negligent. Where malicious attacks are concerned, not all will have a financial motive. Some will be focused on organizational disruption, others on distortion of company information, for example. Disruption might even have the ultimate objective of destroying an organization.
Key to a resilient organization is a comprehensive backup and recovery plan and capability. Good governance and common sense dictates that an organization should regularly back up its data and systems. This ensures that, if required, essential information and software can be restored as needed and within timescales to meet organizational needs.
At the very least an organization should have a basic incident response plan. More security-mature enterprises will have built or adopted an incident response framework from which there are a series of “playbooks” setting out the procedures to respond to and recover from specific types of incident.
The playbooks will assign roles and responsibilities to individuals and teams in responding to the incident. Those involved should have access to the products and tools required to enable full investigation and remediation, along with the information needed to understand what is happening (or has happened). There will be implications of the incident around the organization and potentially beyond, and the team/playbook must take this into consideration.
It might sound obvious, but it is still worth stating: don’t have incident response plans and playbooks only available via online access. If your systems have been taken down, you won’t have the playbooks to hand.