Preparing and responding to cyber security incidents

Preparing and Responding to Cyber security incidents

According to a report by the OAIC (Office of the Australian Information Commissioner), there were 518 notifiable data breach incidents in the first half of 2020. The report cites malicious criminal activities and human error as the leading causes of data breaches. Looking at those figures, not much seems to have changed over the last two years. But on a larger scale, cyber attack incidences have become more prevalent, sophisticated, and devastating.

Nowadays, it’s not a question of “if” your business will get attacked, but “when.” That’s why you should have a cyber incident response plan in preparation for the inevitable. Responding quickly can help minimise an incident’s impact, maintain compliance, preserve business continuity and retain public trust.

An effective cyber incident response plan is made up of six key phases:

1) Preparation

This is the most important phase of a response plan since it lays the framework for the response strategy. First, understand the nature and severity of the threats that your organisation faces, from ransomware to insider threats. Then identify all the critical business information systems and put in place contingencies in the event of compromise. For instance, create a reliable data backup and restoration system for sensitive data centres.

Lastly, define the incident response procedures for various scenarios and refine them through test drills and mock data breaches. And ensure all employees understand their roles and are well trained and equipped to handle any incident.

2) Identification

You can only understand a breach incident once you know its threat level and scope. Using cyber security systems and keen physical observations, you can quickly identify a threat’s origin, path and intentions. For instance, in case of a malware attack, gather useful indicators of compromise to work out where and how fast the malware is spreading. With that information, you can easily determine the compromised systems, affected operations, and how to handle the situation.

3) Containment

Once you have identified the threat and established its scope, the containment process can begin. The goal of containment is to stop the breach in its tracks and prevent more systems from getting compromised. You can isolate the affected devices, disconnect networks and dump sensitive files – anything that can stop further damage.

At this point, you should have an idea of the potential impact of the incident. If the breach is covered under the Notifiable Data Breach (NDB) scheme, it must be reported to the OAIC.

4) Eradication

Devise an appropriate way to eliminate the threat, according to its nature. You might need to hire a third-party cyber security service for technical processes, such as deep-dive malware scans, server reconfigurations, data wipes, and system patching.

5) Recovery

The recovery phase restores normal IT and business operations after a data breach incident. In most cases, recovery involves restoring data backups, rebuilding server environments, reinstating disabled accounts and bringing all systems back online. The important thing is to ensure all affected systems are thoroughly screened, patched, hardened and tested before being used again to guarantee integrity and safety. In other words, there should be no chance of the same threat resurfacing or reoccurring.

6) Post-incident review

After the dust has settled, it’s a good time to discuss and review the incident with everyone involved in the response efforts. Ask yourself what your team could have done better and how to prevent such an incident from ever happening again. Amend, improve and refine your response strategy by learning from your mistakes and the outcome of your actions.

Moreover, an in-depth review of the incident and the response procedures can yield valuable insights on ways to fine-tune your organisational culture and security posture to be more proactive against cyber threats.

Conclusion

An incident response plan is an invaluable facet of any company-wide cyber security framework. As much as it’s important to prevent cyber attacks in the first place, you can never be 100% certain that your cyber defences can hold off every possible breach attempt. And that’s why an incident response strategy is crucial.

Like other cyber security measures, a response strategy needs regular updates to keep up with a changing threat landscape and newer technologies. So, audit and test your threat response mechanisms regularly,
making adjustments where necessary. If your business needs help to prepare an incident response plan or defend against cyber threats, contact Intrix Cyber Security.

Scroll to top