As portions of the American workforce transition back to working in a physical office after shelter-in-place orders lift, special considerations for security teams arise. One of the best ways to approach this challenge is to revisit the company Incident Response Plan.
“A rigorously developed relevant Incident Response (IR) Plan that considers potential impact to all aspects of your business in its current and future states prepares you to quickly mobilize around minimizing the impacts of a breach,” says Paul Caiazzo, senior vice president of security and compliance at Avertium.
These tips will help businesses revise an existing company IR Plan:
Assess the risks. Businesses should perform a risk assessment to locate and document where the organization keeps its crucial data assets, and prioritize the remediation of security issues that are discovered during the assessment. Prevent incidents from happening by keeping up with good cybersecurity hygiene, including vulnerability management and regular penetration testing.
Reconfirm team assignments. Businesses should communicate with internal and external stakeholders and reconfirm their roles and responsibilities. Designate a computer security incident response team (CSIRT), being sure to include departments company-wide. Engage regularly with internal parties to keep data security top-of-mind at all levels of the organization and to set the stage for communication in the event of an incident. Keeping the organization’s CSIRT on its toes is even more important in a time when a remote workforce and outside distractions complicate incident response.
Customize the plan. If the current plan was developed from a template or perhaps is a carryover from a previous employer, this is a good time to review and customize it to meet the challenges presented by the current situation. Form a transparent communication plan with external parties that clearly states the degree to which they’ve been affected, if at all. Include a crisis communication plan to proactively detail how to work with the media.
Practice makes perfect. Businesses should implement processes and technology, such as training users to report suspicious or anomalous activities and test their knowledge regularly. Conduct tabletop exercises with the CSIRT with scenarios that are likely to arise from the current situation. Implement additional training to raise awareness of crisis-related phishing attacks, which have seen a huge uptick since this crisis began.
Detect security incidents in remote devices. In order to successfully respond to, contain and eradicate an incident, organizations must first be able to detect it. Rapidly detecting security incidents in remotely deployed devices can be a challenge for organizations unprepared with the right tools, procedures and training. Two tools that dramatically simplify this are cloud-based security information and event management (SIEM) technology alongside enterprise-grade endpoint detection and response (EDR). Organizations should integrate data from their remote endpoints into their SIEM, and correlate with data from their other security tools, identity management platforms, cloud security tools and threat intelligence to get the visibility required.
Eradicate in place. Once an organization has detected an incident, it needs to activate the incident response plan and work to eradicate all traces of the security incident. Target the complete elimination of the threat, including removing any persistent access established by an attacker; cleanup of malware; disabling compromised accounts; and identifying the root cause of the incident. Document the root cause in an incident report, and expedite remediation of all vulnerabilities that were exploited. Use this to assist in responding to future attacks and developing a plan of action to stop similar events from happening again. Operationalizing this capability is best enabled through a leading EDR tool deployed across an organization’s entire remote workforce. Be sure to include outside counsel very early in the process if there is any suspicion of a compromise involving Personally Identifiable Information (PII)
Revise restore to normal procedures. Certain systems may not have been viewed as critical in a primarily on-site environment, but may be much more critical in the age of a purely remote workforce. Review the order of recovery for systems and processes and adjust for the current environment. In event of a breach, be sure to apply lessons learned and revise the IR Plan accordingly to increase the organization’s security posture while maintaining business continuity. For example, identify areas of excellence and those that need improvement as well as departments or individuals overlooked in the initial IR Plan.
Call for help. Many businesses lack the resources to develop, test and execute an effective incident response plan. Partnering with an outside consulting firm that has experience with different types of breaches across many industries can provide peace of mind in knowing there is a plan in place to deal with unexpected security incidents.
Avertium is one of the largest cybersecurity services providers to the mid-to-enterprise market. Forged out of three award-winning cybersecurity services companies, each with a unique perspective on the security landscape, Avertium brings enterprise-level security to the many mid-sized and larger organizations that don’t have access to comprehensive, specialized protection. The company’s dual security operations centers are in Arizona and Tennessee.