Not all disasters are created equal. Tornados call for sheltering in a basement away from windows, floods call for finding higher ground, and fires mean leaving the building altogether. Depending on the nature of the incident, the instructions for immediate safety and recovery are vastly different. The logic behind these protocols is obvious, so why are security plans so often switched, confused, or ignored in cyber disasters?
Cyberattacks can be just as varied as natural disasters. Phishing attacks, brute-forcing accounts, and complicated ransomware executions are all different disasters, and they call for a different safety procedure each. Just as you wouldn’t recommend going to a basement during a fire nor running outside during a tornado, it is crucial to outline safety plans according to cyber disasters. Organizations can do this by implementing a business cybersecurity plan.
What is a Business Cybersecurity Plan?
At its core, a business cybersecurity plan is a playbook that addresses the key players, the emergency contacts, and the framework to respond to cyber incidents. This is a more specific safety plan that provides information beyond business interruption and considers all cyberinfrastructure within an organization. A plan like this goes beyond the basic “stop, drop, and roll” safety instructions — cybersecurity is an industry that changes daily, and the plans that protect organizations need to stay just as agile. Here are three things to keep in mind for organizing a plan:
Keep your plan business-specific.
How does your organization interact with technology on a daily basis? For example, do you rely on online payment card transactions? Do you collect healthcare data on patients? Do you have any major systems open to the public internet to run your day-to-day operations? When creating a cybersecurity plan to comply with regulations, provide information to insurance, and define your priorities, take your own organization’s needs into account.
A good cybersecurity plan leaves room for updates, and better yet, is informed by the latest security strategies. This should be considered a living document that can change according to the latest threat intelligence, the newest third-party vendors you bring on board, the type of attack you may fall victim to, etc. As such, we don’t recommend harsh, end-all-be-all instructions. Since updates are so frequent in cyber, it’s better to keep a trusted expert nearby for a course of action rather than an outdated instruction.
Cover all your bases.
You wouldn’t install smoke detectors in only half the rooms of your house — make sure you don’t cover only half of your technological infrastructure. Some basic considerations include your email service provider, cloud storage provider, any Software as a Service (SaaS) products, and any other third-party vendors that have access to your internal network. Of course, your infrastructure will depend on the nature of your organization, but be sure to include these tenets in your cybersecurity plan.
How to make a Business Cybersecurity Plan
Just as different buildings require different exit routes, organizations require customized cybersecurity plans to account for their own unique structure. Our top three are vital features that should be included in every disaster recovery plan when crisis strikes — emergency contacts, proper communications, and a holistic incident response plan.
For emergency contacts, try to go beyond the typical phone book format. Instead, organize your teammates and assign members as most appropriate to respond to a cyber incident for your business. In keeping all hands on deck, try to include departments from IT, security, and legal to communications, HR, and risk management.
Working through proper communication channels in order of primary and secondary contacts will help moderate and mitigate the confusion that’s bound to arise amid a cyberattack. If your organization’s resources are limited in this area, be sure to bring on security experts to accurately alert you to attacks and field incident response from there.
Once contacts and communications are in order, you are well-suited to dive deeper into an incident response plan. There are a few guidelines that all organizations can follow in the event of an emergency:
Cyberattacks like ransomware rely on spreading to as many workstations as possible within a network, so once an attack is discovered, containing it is most often the top priority. Enact your cybersecurity plan and bring appropriate teammates, IR firms, and cyber insurance resources to your aid to contain the incident. Usually, this includes disconnecting devices from the network if possible rather than just turning them off.
Your cybersecurity contacts and resources will reiterate this message: Preserve what you can. To learn how an attacker infiltrated the network, what actions they took, and how they distributed their attack is crucial for providing evidence, contributing to overall threat intelligence, and in some cases, how to restore data they may have manipulated. Therefore, be sure to preserve forensic evidence where available, usually in the form of logs. Keep in mind if you rely on a Managed Service Provider (MSP) or another third-party for your critical infrastructure, they may possess the logs that pertain to them.
Some may argue that this hinders the response (working through logs can be very time-consuming). However, this is important for contributing to overall threat intelligence, further protecting other organizations, and disclosing vulnerabilities that others may fall victim to.
As the response is underway, communicate with your stakeholders only as necessary. Be mindful to include only the most relevant information that pertains to them specifically. For example, this could be with internal employees on how they need to conduct their work during the response and restoration, what actions they must take to enforce (or re-enforce) their security measures on individual accounts, or what to expect in the coming days/weeks.
With more sensitive data such as Personally Identifiable Information (PII), SSNs, credit card numbers, etc., be sure to disclose a “breach” only after it has been considered one from the proper authorities — ideally from a privacy attorney on your cybersecurity plan contact list.
While each incident is unique, that doesn’t mean it’s a foregone conclusion. There is something to be learned from each zero-day vulnerability, each open Remote Desktop Protocol connection, even each phishing campaign from a threat actor. Learn and adapt your cybersecurity plan to accommodate your recent incident, and apply organization-wide changes wherever necessary.
Not all disasters are created equal, but with proper planning, attention to updates, and trusted experts on your side, your organization can remain calm, agile, and, most importantly, safe.