Why Mastering Cyber Incident Response Is a Must
Every SMB Is at Risk
“What you may not know, however, is that small to mid-sized businesses (SMBs) are frequent targets of destructive cyberattacks, many of which can be crippling.” (Forbes)
There’s no getting around it. Sooner or later your organization will get hit by a cyber attack… if it hasn’t been already. If you believe that you’re not big enough for the hackers to target you, then – unfortunately – the stats say otherwise:
- There was a 424% increase in new small business cyber breaches last year
- 60% of SMBs say that attacks against them are targeted, sophisticated, and damaging
While these numbers are striking, nevertheless, many small to midsized business owners and executives believe that their businesses are too small to be of interest to hackers. And many lack cybersecurity defense plans and don’t even have endpoint protection in place.
For those who neither plan nor protect, the repercussions of denial are dire, including financial losses and damage to customer loyalty and brand equity.
The High Cost of Denial
When a cyber breach happens, the SMB can suffer several hours of downtime, which leads to hundreds of thousands of dollars in losses. For example, in early 2020, the US government contractor Miracle Systems, a provider of IT and engineering services to federal agencies, suffered losses of $500,000 to $1 million due to an internal server breach.
It’s not only about the financial loss. During this downtime, there is no access to the digital systems that are down. When it comes to cyberattacks it’s about detection, prevention, and most importantly accelerating resolution.
Robust Incident Response Isn’t Easy
As important as the incident response (IR) mandate is, it is just as great of a challenge for a variety of reasons. The first is grounded in the fact that SMBs typically outsource IR to third parties. However, when doing so they don’t always make sure that:
- They have support for all the functions that are involved with incidents, e.g. legal and PR, among others;
- The service provider is available 24/7 with live support;
- What is defined in the organization’s incident response plan is indeed in the scope of the engagement, for example – what is the decision-making hierarchy and how will the incident be managed, among others.
Other common challenges include:
Onboarding the incident team: get all the right people onboarded quickly enough to reduce the time required to respond and remedy. As we have seen, ‘time is money’ (literally), when it comes to incident response.
Aligning incident responders: sending out timely, accurate, aligned, and clear updates to each member of the incident team during each phase of the resolution journey can be time-consuming, in terms of gathering the data, ensuring its accuracy, preparing the updates, and making sure everyone received and knows what their role and responsibilities are.
Managing complex workflows: that include multiple stakeholders (within and outside the organizations), observers, executors, and managers.
To complicate matters, even more, establishing an in-house IR team can be costly, requiring the expensive salaries of full-time employees that need to come with hard-to-find multi-disciplinary capabilities. Regardless of these challenges, no organization can afford not to do everything it can to boost its incident response capabilities.
The first steps to overcoming the biggest IR challenges
There are many things SMBs should consider when it comes to adequately prepare to outsource to third parties are:
- Making sure that all the necessary incident management-related information is available in multiple copies is and made accessible to all relevant parties.
- Making sure that all data necessary for an incident investigation is available and accessible.
- Performing IR and business continuity drills to identify process weaknesses that require optimization.
- Defining incident communication policies so that everyone knows who can be contacted at what times regardless of time zones or the hour of the day.
- Establish guidelines with vendors regarding who owns the incidents under which conditions and specific circumstances.
- Defining priorities and which data relates to those priorities, and where it resides, for making data-driven decisions that optimize incident response.
More Incident Response Insights From the ITIL
For additional insights, the ITIL, the Information Technology Infrastructure Library, offers detailed practices for IT service management, including incident management. And these can be very instructive for those leading and executing incident response.
The process flow that is recommended by the ITIL for diagnosing and managing incidents includes the following steps:
- Incident logging and categorization
- Escalating to second-level support
- Notifying the incident manager
- Informing the major incident team who will work together to resolve the incident
- Once a workaround is discovered, reporting the incident to problem management for future investigation and for developing a permanent solution
- Capturing data from the relevant systems and using it to drive continuous improvement throughout the organization’s incident management practices
Furthermore, to prepare the incident report that drives learning and optimization, the ITIL recommends that it should include an explanation on:
- What was the incident about?
- When did it occur?
- Where did it occur?
- How much time did it take to resolve?
- Who resolved?
- Who was involved in handling the incident?
- What troubleshooting steps were taken?
The Capabilities Required for Meeting the IR Mandate
While the insights from the ITIL can be very valuable, being able to execute means that you have to have in place certain critical tools and capabilities, including:
- The ability to understand which logs should be kept and audited
- The ability to execute advanced correlations among all security log files from every system
- Access to an intuitive dashboard with full visibility into the most critical incidents across all business operations and security solutions, at a glance
- Access to real-time insights on which threats are affecting which assets, how severely, and the root cause
- Full clarity into all investigations by type, severity, and status
- Notification of incident escalation to complex case management
- Real-time drill down to a full view of any case to understand what happened, what was impacted, immediate risk, recommended actions, and status
- The ability to generate and share reports instantly
The Key to Incident Response Mastery
As we have seen, the incident response mandate is one that no SMB can ignore. To avoid damage to finances, customer trust, and brand equity, robust capabilities are a must.
These capabilities include having the right plan and workflows in place, the right reporting in place, for ongoing learning and optimization, as well as full visibility into the entire threat landscape, along with the insights and technology-powered expertise to understand, decide, and act on every incident with speed and precision.
To learn more about how CYREBRO can help your organization gain these capabilities and improve security incident resolution, we invite you to visit our website at www.cyrebro.io.