In part one of this blog, I outlined the reasons why organizations need an Incident Response Plan (IRP). Any organization that stores Personally Identifiable Information (PII) or private financial data needs to have a plan in place for when (not if) they are hit with a cyberattack.
Without an IRP in place, an organization targeted for a cyberattack can spend two to three days trying to figure out what needs to be done, who is responsible for what, and what needs to be communicated to whom. I have seen this firsthand and unfortunately this reaction only compounds the damage done by the attack. With a proper IRP in place, these issues will already have been worked out and the team can immediately get to work to mitigate the impact of the breach.
A collaborative approach to designing an IRP
One of my roles here at Compugen is to work directly with clients to help design an IRP that best fits their organization. Everything we do is based on recommended protocols from the National Institute of Standards and Technology Computer Security Incident Handling Guide (NIST 800-61). That being said, an IRP is not a one-size-fits-all proposition. The way we determine the best fit is by holding a private workshop with a tabletop mock cyberattack, walking through the various stages of what needs to be done.
You’d be surprised at how tricky even the simplest tasks can be when under the pressure of responding to a cyberattack. For example, one of the first things to be done when you’ve been breached is to create a data inventory of what is stored where in the system. I was once in a workshop with various members of the executive team and asked them if they had payment card information stored on their systems. Three of them gave me three different answers. One thought it was in the cloud, one thought it was stored on-premises, and another thought they didn't store it at all. This kind of disconnect about where secure data resides can be devastating in the first hours following an attack.
As another example, suppose you lost access to your contacts list on your phone and had to call a friend or family member from someone else’s phone. How many of your close contacts could you call simply by knowing their cell number off the top of your head? Judging from my own situation, I’m guessing it is very few, if any. Now suppose you are part of an organization that has been hit with a ransomware attack and has now lost access to the company directory. You need to communicate critical information to a list of people right away but how will you do it?
Simulated attack, real results
One purpose of the IRP is to have these pieces in place before you get hit. That’s why in the workshop we walk you through creating a data inventory. We will help you create a contact list with step-by-step directions for what needs to be done and when.
We will also guide you in assigning key roles to lead the team through the incident response. Let’s face it, not many organizations have designated cyberattack team leaders, and as a result, people don’t know whose instructions they should be following. This is probably the worst possible scenario that could arise and yet, it is all too common.
The workshop is usually held over two sessions with each session running about three hours. The break in between sessions ensures the team can complete some real-world assignments like creating an offline contact list and defining who the key team members are. We work with each client to ensure the IRP is tailored to their specific needs. At the end of both sessions, you will have peace of mind knowing your organization is prepared for any number of cyberattacks.
If you’d like to find out more about how an IRP can better protect your organization, feel free to drop me a line. I’d love to discuss it with you.