Rehearsing and refining your cyber incident response plans ensures you can minimise the damage if attackers manage to breach your defences.
Australian businesses can do a lot to reduce their attack surface area, from maintaining a regular patching schedule to mandating the use of multi-factor authentication throughout the organisation. Yet even the best-laid plans can go awry, so a detailed incident response plan must accompany cyber defences, says Jason Koch – Managed Security Services Manager at Orro.
Incident response plans must extend beyond technical countermeasures to take a holistic approach to managing and minimising the impact of a breach.
“Every business needs some level of an incident response plan playbook, which includes a crisis management process that’s agreed to at the executive level,” Koch told Orro’s recent Cyber Security Update.
“It’s vital that everyone in the business understands what they need to do in the event of a security incident, which includes detailing how internal decision-making powers might change during the incident.”
While developing and reviewing incident response plans is critical, it is also vital that businesses practise putting those plans into action. Cyber simulations offer a great way “to practise what you preach” and help everyone in the business prepare for the pressures of responding to an actual incident.
“Cyber simulations aren’t just practised for the IT team; they’re also designed to help the executive team experience what it is like responding to a cyber breach in real-time,” Koch says. “This includes keeping a cool head and following predefined procedures rather than making rash decisions in the heat of the moment.”
“Practice also allows you to improve your processes, so you can use those activities as a learning exercise to determine how you can do better in future and stay ahead of the game.”
Issues to consider include determining which devices, tools and documentation are required during an incident response. It is critical to ensure the right people will still have access to these, even if defences are breached.
Studying cyber threat intel from the Australian Cyber Security Centre (ACSC) and industry-specific sources such as FS-ISAC for the financial services sector allow businesses to update their incident response plans to incorporate the latest specific threats to their sector.
This kind of insight allows businesses to conduct a risk assessment that considers the common security cyber attacks and vectors in their industry, which includes factors such as exposure based on external-facing infrastructure.
“You must also consider how you are going to handle the media and public relations, as that’s one of the most critical items when it comes to protecting brand reputation and managing the public’s perception of your business through an incident,” Koch says.
“The openness in your communication, providing specific information to the right stakeholders in a timely manner, is critical regarding how you’ll recover and retain customers after a cyber breach.”
In the event of an incident disrupting critical infrastructure, organisations must report the incident to the ACSC within 12 hours. Other incidents must be reported within 72 hours under the latest Security of Critical Infrastructure (SOCI) Act reforms, says Michael van Rooyen, Orro’s Chief Technology Officer, Networks.
“Having a robust cyber incident response plan makes it much easier for organisations to meet this obligation during an incident,” van Rooyen says. “Especially as they need to understand the significance of the impact when reporting it.”
“An incident response plan must include determining who within the organisation is responsible for triggering the countdown for that 12 or 72-hour reporting deadline, and who will undertake that reporting, to avoid significant penalties.”