As we enter a new year, I have put together some lessons learnt based on my previous incident response experience. There is nothing ground-breaking in the list, just a general reminder and essential tips to help you prepare for an incident.
For those unaware, one of my first roles working for Westpac was managing major frauds and incorporating lessons learnt. During this time, I dealt with many people face-to-face whose life savings had been taken from them and the emotions associated with that loss. I have also worked alongside clients who have had cyber incidents, working in the capacity of their virtual CISO. So, I am very passionate about incident response and ensuring organisations have the right tools in preparation for a cyber incident.
Where most organisations fail are:
- Lengthy incident response plans which are hard to follow during an incident
- Staff not being aware of, or understanding their roles and responsibilities, and
- Executives taking too long in their decision-making regarding communication plans and ransomware demands.
All these issues are easily addressable with greater preparation and testing. User education is also essential. Employees should be able to identify information security weaknesses and incidents and know how to report these correctly and in a timely manner.
One of my mini cheats for this is a poster I created for clients to put up around the office (I know very retro of me) and to distribute in company e-newsletters; it is a quick guide to:
- what an incident is
- how to recognise a security weakness
- who to contact, and
- what to do in the event of ransomware.
The key here is to keep repeating the message until everyone in your organisation sits up and pays attention!
When developing an incident response policy and procedure and a notifiable data breach plan (if applicable), it is essential to create a working group of key stakeholders. The key stakeholders (depending on the organisational structure) should include the CISO, CIO, IT Manager, Helpdesk, Legal, HR, Marketing and Communications, Risk Manager/CRO, Internal SOC or equivalent positions. It is essential that during the workshops, key roles and responsibilities are identified. Incorporated in the plan should also be when these key stakeholders should be engaged or notified, a representative to talk to the CEO and the Board and a spokesperson for your organisation if a public statement is required.
Other documents that should be developed during the working group sessions include a communications plan and playbooks to address various threat scenarios. It is critical to ensure these are in place and ready to go in the event of an incident.
Once the relevant incident response documents have been developed, one of the critical exercises an organisation must undertake is an incident response tabletop, first with the IT and CSIRT team and then with the executive and board. Lessons learnt should be adopted by these exercises and used to improve the current processes and procedures.
Do not make the mistake of having too many playbooks as part of the documentation inventory, complicating the exercise. Also, ensure all your incident response documentation is available in hard copy, as an incident may prevent you from accessing your online documents. It also helps to have a quick one-page guide for your CSIRT so that they can see where you are up to in your incident response plan and what the next stage is, so they can ensure they are ready to go for each stage.
0 Comments