Prudent business leaders and risk managers understand that identifying, protecting against, and detecting risks are necessary, albeit fallible, actions to mitigate a complex world full of risks. As we have seen from prior posts, cost, time, and resource tradeoffs exist in every business, hackers are creative, and humans are, well, human. landscapes of risks. That is why step 4 of the NIST framework, Respond, is crucial. A risk may make it through your cybersecurity layers “sandwich.” Whether or not your people stay productive, the enterprise stays up and running, and your data stays safe is a result of an effective response. Respond is often communicated as the “easy” part of cybersecurity. After all, you already have IT support in place and they’ll be there to “respond” and address any security incident, right?
Don’t bet on it.
Your current IT will definitely respond, but don’t assume that they are prepared to do all of the right things. Every cybersecurity event is unique. Entering an event with a cavalier “been there, done that” attitude can lead to overconfidence and prematurely applying a fix that makes the situation worse. We have seen this happen all too often. For example, one company was hit with a ransomware outbreak. The IT person started to fix things but then realized that the backups had been failing for months and the removal of the ransomware broke the server. The company’s systems went down and the data was lost.
The Response must be a thoughtful and proper response based on the specific threat and actions laid out in a proactive response plan.
In the NIST Respond step, we:
1. Review the Response plan with the appropriate policies and procedures to ensure a prompt response to a cybersecurity incident.
2. Involve the Technical and Strategy teams to analyze the situation, communicate, and eliminate the threat.
Review the Response plan
The IT team you are expecting to respond to a cyber incident needs to have a plan in place. No plan usually means panic, fire drill, and the IT cowboy mentality of just trying things and hope it works. Not a good place to be when you really need the help right now and to get things under control and fixed right away. You want to know, before you need it, what this will look like to get the comfort that your IT team is prepared to respond when needed.
The first part of our plan is to determine the right people on the team to address the incident. We have specifics roles to assign – communication, technical, and client management. Having the same person place all 3 roles is a fail. I’m sure you been there. Communication is often more important than fixing the problem. The assigned technician is immediately working on the problem. This is done in a systematic manner and it always involves the impact on the users. Your client manager will be notified of the situation and will be involved to ensure the communication is happening and the technical side is being handled as best possible.
Involve the Technical and Strategy teams to analyze the situation, communicate, and mitigate the risk
You have had a cyber incident and now you need your IT team to get involved and respond right away. The Waident team has a systemic approach for troubleshooting and that is a part of our critical indecent response plan for any cybersecurity breach. The first thing we do is communicate. We communicate internally, with the client, and with 3rd parties is needed. While the communication is happening, in parallel the assigned technician(s) are analyzing the situation to come up with a plan to mitigate and fix the incident. The plan is shared with the internal team and with the client. While the risk is being mitigated the communication continues throughout until the situation has been resolved. After confirming on the technology side that everything is back to normal we confirm with the client and users that everything is working for them as they expect and need. At that point, we can claim success.
We do not leave it at that though. We want to know all of the details of how the cyber breach happened, the root cause, and how it could be prevented in the future. Also, ensure that the hackers are completely out of the network and not hiding someplace. This process is done in the Recover phase of the NIST framework.
Conclusion: Responding to Cyber Risks in SMBs Using the NIST Framework
You can “respond” to a cyber incident and you can Respond to a cybersecurity incident. The difference being IT cowboy or IT team with a plan. You have put layers of cybersecurity protection and detection in place but inevitably there is a security breach that could not be blocked. At that point, you need to respond to the incident and do it in a very crisp manner before the incident escalates and/or causes extended downtime. You really need an IT team with a plan.