If a major incident does occur, what are the immediate steps you should take to respond?
Let's consider something which every executive in IT fears.
If you have already work in cybersecurity then you would know it perfectly.
That you are sleeping in bed and all of a sudden you receive a call in the middle of the night saying that there has been a major cyber-incident.
You would know that the speed of incident response is vital to you. Thus you would also know that as much information as possible must be gathered in these very early moments, so that you immediately understand--what information and systems have been compromised. You would deliberate instantly that--
Has this happened before and does it indicate a systemic issue?
What is the risk to the organisation, its reputation and its customers?
You want to establish that initial snapshot assessment because it is incredibly important as it will drive not only the prioritisation of the incident response, but the entire process that will happen. If you identify that the incident as HIGH RISK at the onset, your response timeline will accelerate, and you will deploy organisational resources urgently and more appropriately. Right?
Ok.
Then, what should happen next?
Now you must be bothered in principle about limiting the damage and controlling the incident. You should try your best to understand--what mitigating factors might help you to reduce risk to the business? It is extremely vital.
For example,
-
If the information has been lost or stolen, then was that information subject to encryption?
-
Is it in a format that would be useless to a third party?
-
Did the incident involve theft of a device that has since been recovered?
If, following that risk assessment, you conclude that it is a major, high-risk incident, then the response must be fast.
It may be necessary to first internally escalate by notifying the executive committee or wider board.
External legal counsel should be involved as early as possible so they are on call to respond whenever needed throughout the incident.
Engaging legal counsel has the added benefit of establishing privilege in certain circumstances, which can protect sensitive discussions from future disclosure should there be an investigation or litigation.
Forensic IT experts are also an essential part of the damage limitation process, particularly in identifying the threat, understanding what went wrong and taking the appropriate measures to stem the tide.
Regulators need to be informed as soon as possible, as should affected individuals, where organisations are legally required to do so.
-
Please don't overlook the following aspects at any costs:
At each stage of the response process, it is also vital to preserve evidence and record details of every action and decision that was made. You may look back and determine that, in hindsight, poor decisions were made, but if you can show precisely what information guided those decisions at the time, it can be beneficial in the event of an investigation or litigation.
Of course, excessive retention of records and information can also present challenges, but legal counsel will be able to assist in striking the right balance.
Public relations plays an often overlooked, but absolutely crucial, role in controlling the narrative and allowing the organisation to present the best and most accurate representation of the incident.
Last but not the least, Remember that cybersecurity incidents DO NOT respect national borders. Companies are often affected in multiple jurisdictions, with different regulators and laws in relation to disclosure obligations and timeframes.
-
Kindly don't forget to leave your comment on this post.
Thanks
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM