Cyber Security Incident Response

Building a strong cyber response capability

The intensity and sophistication of cyber-attacks is on the rise. And although some organisations are experts in dealing with them, many organisations are unequipped or unprepared.

It’s no longer a question of if you’ll get breached…

You have been lucky if you are yet to deal with a cyber security incident. Microsoft’s 2021 Digital Defence Report reveals these incidents are increasing in intensity and volume. Adversaries are adapting their tactics and techniques and are better able to tackle defences.

The annual report from the Australian Cyber Security Centre (ACSC) also highlights concerns in the Australian threat environment, including:

• A 15% increase in ransomware attacks in Australia
• A cyber-attack is reported every 8 minutes (up from 10 minutes)
• The increasingly publicised nature of Cyber Attacks both locally and internationally.
• The financial cost to businesses and governments (an estimated $33 billion lost to cyber criminals).

Incident response is different from 10 years ago.

Adversaries today are more professional and opportunistic. They get into networks quickly scanning for public vulnerabilities and working fast.

In addition, some adversaries are publicly disruptive. That’s because it can be easier to extort a ransom when the organisation’s reputation is on the line, as well as its information and systems. We all know, it’s not uncommon for a cyber-attack to make the front pages.

What does this mean for your organisation?

More professional adversaries are a negative from the perspective of cybersecurity, however there are positives too as we now have tools to give you:

1. Greater visibility of your network
2. A more advanced ability to detect an attack

Also, we know the landscape. Adversaries want to disrupt and embarrass but knowing what an attack might look like lets us prepare. Being prepared includes having a media and customer engagement plan. Having solid plans means you’ll handle the incident properly with minimal damage to your brand and reputation.

How to start to build a good cyber response capability?

You don’t necessarily need a dedicated cyber-security team. However, businesses of all sizes need to put basic cyber hygiene in place.

Successfully managing network security and handling incidents needs:

1. Leadership buy-in: You need leaders from the CEO down to buy in because you need finance for security. And you’re more likely to get finance when leadership knows that cybersecurity is more than just a technical issue. There are legal, PR, brand and other considerations.
2. Visibility: Know what “crown jewels” you want to protect and where they are. Have a strong logging and backup capability.
3. A strong I.T. Skillset: Have a solid understanding of your I.T. foundations. Understanding your network is critical. Build on that foundation with people who have cyber security skillsets or cybersecurity firms you can call on in an incident.

The next step: growing your response capability:

Smaller businesses don’t need their own digital forensics capability. What you do need is to lay the groundwork for digital forensics before you’re breached.

Growing your capability should cover:

• Planning your response in advance and testing that plan with executives.
• Understanding who you’re going to engage and when. Maybe you need a retainer in place now with an incident response company. You don’t want to waste time looking for expertise when you need help urgently.
• The board, shareholders and customers will have questions if there’s a breach. Make sure you have the visibility, tools, and logging in place to be able to answer those questions.
• Developing a customer engagement plan, legal plan, and public relations plan. Practice and rehearse your plans so they’re ready to roll out.
• Learn from any incidents and work out what you need to change.

Ensure the plan survives first contact with the enemy

A breach is a crisis affecting many parts of the business. That’s why you need an incident response plan that extends beyond the technical. Yes, you need the technical capabilities, but your plan should include thinking from leaders and teams across all relevant areas, including legal, PR and brand.

When you are breached, you’ll be glad you put the tools and plans in place now instead of trying to do it mid-crisis.