Ask any CISO and they’ll tell you dealing with the immediate challenges of an active cyber incident is only half the battle (less, actually). An effective response requires a well-executed incident response and remediation strategy that covers both before and after an incident to limit both major disruption to business operations and financial harm.
As ransomware events have become commonplace (and, unfortunately, more profitable for threat actors), cyber risk has become top of mind for a broader set of organizations than ever before. Thus, we’ve witnessed the rise in popularity of robust, standalone cyber liability policies — what were previously a niche product.
With more organizations eager to invest in their cyber resilience, preparedness, and insurance, there are two key angles of incident response to consider:
The things your organization can do independently to prepare
The way your organization works with your cyber insurer, before, during, and after a cybersecurity incident
What Are the 3 Keys to a Successful Cyber Incident Response?
1. Prep Before the Incident
Lucky you: you’ve never had a breach at your organization thanks to your cybersecurity risk management efforts. You haven’t experienced any frantic alerts from IT, any belligerent ransom demands, and the IT system is generally an afterthought. At this moment, an incident response policy may not be top of mind. But time and time again, we’ve seen that those who prepare accordingly before a worst-case scenario have the quickest and most effective turnarounds after a cyber attack. Below, we’ll highlight some key preparation must-haves to ensure your organization can bounce back fast if that unfortunate day rolls around.
This written document showcases that your organization has a system in place before there’s a breach, enabling a quick response for mitigating threats. If you don’t have an IRP in place yet — that’s where to start. The SANS Institute, a provider for security training and certification, published a handbook on a structured 6-step plan for incident response training which includes details on developing an IRP and practicing a “fire drill.”
Your IRP should clearly outline your carrier’s contact information, as they’ll be a first line of contact for providing you with resources to get out on the other side, such as breach coaches and forensic teams.
Develop an asset inventory of incident response tools
The Corvus team has seen countless organizations deal with cyber incidents, but one of the most efficient responses we’ve seen started out with an advantage. They had a clear asset inventory established before the incident, saving them precious time in the early hours of the incident. Half the battle is knowing what you have. Outline all of your systems and their associated applications.
Know your Tier 1 infrastructure, which is the bare minimum of what you need up and running to be able to do anything.
Have a robust backup strategy
Properly maintained and protected backups can be your strongest asset for bouncing back quickly after a ransomware attack. Consider the 3-2-1-1-0 backup strategy, which ensures you have multiple copies of your data stored with different forms of media (your own production data, offsite storage, and immutable backups — to name a few).
2. Knowing the Key Steps of Incident Response
Maybe you’ve received an alert from your COO — there’s a suspected breach at your organization, and you need to be wary of incoming emails — or everything has gone offline completely. No matter the circumstances, panic might be setting in. Before anything else, we’d like to highlight how parallel work streams can help your organization move forward in the incident response process. As opposed to constricting your teams to working through a linear timeline, waiting on one result before starting the next stage, we suggest the practice of different work streams occurring simultaneously that spawn from one Incident Response Lead that oversees the entire process.
The sub-teams will focus on recovery, containment, and forensics, all with the common goal of resolving the incident.
The first phase of the recovery process typically involves a third-party performing a forensic examination of the IT system. They want to paint a picture of exactly what happened within your environment, and the investigation will run smoother with coordination from a team of employees providing resources to the forensics experts.
The goal here is to prevent further access or damage to your systems through cyber risk reduction. With the help of insights from the forensic team, you can go beyond the basic preventative security methods (like changing passwords of admin accounts and disconnecting the environment) to pinpointing specific measures to decrease risk to your organization.
After making significant progress with the above efforts, new sub-teams can form to start repairing damage, restoring data, replacing hardware, and generally getting back online. A huge organizational help can be working from one single document that contains the status of all of the operating systems. This enables everyone, across teams, to update the tracker to the current status of each system. For more on how each of these steps can be done optimally, read our full guide to Incident Response Done Right here.
3. Work WITH Your Insurer
One of the primary benefits of cyber insurance is that your provider can be your greatest advocate in responding to a cyber incident. But it’s important to know how to leverage their resources for maximum impact and to avoid common mistakes that can derail your incident response services. Below are some quick best practices (dive in deeper here) for working with your carrier through an incident:
Before an incident
Socialize the IRP among necessary staff and do training on how to recover from cyber attacks and security threats. When creating an IRP, make sure to document the who, when, and how of contacting your carrier — they can help if needed!
When you discover an incident
Follow the instructions and security measures in your IRP on who will contact your carrier, and how. Do so with safety in mind (don’t use email accounts that may be compromised).
As you work with vendors
Tell your carrier what you know, but resist starting your own internal investigation. Your vendors have your best interests in mind.
Your carrier’s claims team has the experience and knowledge to recommend vendors, use it to your advantage!
Be forthcoming with vendors — tell them everything you know so they can better serve your organization
As you work with counsel
Be ready to act quickly on the advice of your counsel to ensure you comply with notification laws and avoid additional fines that would increase the cost of the incident
When you can reflect
Have an honest post-mortem to understand what your team did well in responding to the incident, to help improve your cyber mitigation strategies. Unlike lightning striking twice, unfortunately, attacks can (and do) happen again to victims, and you can be even better prepared in the future through proper cyber risk mitigation.
Be ready to show investigators the extent of your preparations and the ways in which the security professionals on your team acted in accordance with those preparations.
For more tips on how to work with your cyber insurer on incident response, you can read our full guide here.