Responding to Cyber Risks in SMBs Using the NIST Framework

by | Nov 10, 2020 | Compliance, Security

Prudent business leaders and risk managers understand that identifying, protecting against, and detecting risks are necessary, albeit fallible, actions to mitigate a complex world full of risks. As we have seen from prior posts, cost, time, and resource tradeoffs exist in every business, hackers are creative, and humans are, well, human. landscapes of risks. That is why step 4 of the NIST framework, Respond, is crucial. A risk may make it through your cybersecurity layers “sandwich.” Whether or not your people stay productive, the enterprise stays up and running, and your data stays safe is a result of an effective response. Respond is often communicated as the “easy” part of cybersecurity. After all, you already have IT support in place and they’ll be there to “respond” and address any security incident, right?

Don’t bet on it.

Your current IT  will definitely respond, but don’t assume that they are prepared to do all of the right things. Every cybersecurity event is unique. Entering an event with a cavalier “been there, done that” attitude can lead to overconfidence and prematurely applying a fix that makes the situation worse. We have seen this happen all too often. For example, one company was hit with a ransomware outbreak. The IT person started to fix things but then realized that the backups had been failing for months and the removal of the ransomware broke the server. The company’s systems went down and the data was lost.

The Response must be a thoughtful and proper response based on the specific threat and actions laid out in a proactive response plan.

 

In the NIST Respond step, we:

1. Review the Response plan with the appropriate policies and procedures to ensure a prompt response to a cybersecurity incident.

2. Involve the Technical and Strategy teams to analyze the situation, communicate, and eliminate the threat.

Review the Response plan

The IT team you are expecting to respond to a cyber incident needs to have a plan in place. No plan usually means panic, fire drill, and the IT cowboy mentality of just trying things and hope it works. Not a good place to be when you really need the help right now and to get things under control and fixed right away. You want to know, before you need it,  what this will look like to get the comfort that your IT team is prepared to respond when needed.

The first part of our plan is to determine the right people on the team to address the incident. We have specifics roles to assign – communication, technical, and client management. Having the same person place all 3 roles is a fail. I’m sure you been there.  Communication is often more important than fixing the problem.  The assigned technician is immediately working on the problem. This is done in a systematic manner and it always involves the impact on the users. Your client manager will be notified of the situation and will be involved to ensure the communication is happening and the technical side is being handled as best possible.

 

Involve the Technical and Strategy teams to analyze the situation, communicate, and mitigate the risk

You have had a cyber incident and now you need your IT team to get involved and respond right away. The Waident team has a systemic approach for troubleshooting and that is a part of our critical indecent response plan for any cybersecurity breach. The first thing we do is communicate. We communicate internally, with the client, and with 3rd parties is needed. While the communication is happening, in parallel the assigned technician(s) are analyzing the situation to come up with a plan to mitigate and fix the incident. The plan is shared with the internal team and with the client. While the risk is being mitigated the communication continues throughout until the situation has been resolved. After confirming on the technology side that everything is back to normal we confirm with the client and users that everything is working for them as they expect and need. At that point, we can claim success.

We do not leave it at that though. We want to know all of the details of how the cyber breach happened, the root cause, and how it could be prevented in the future. Also, ensure that the hackers are completely out of the network and not hiding someplace. This process is done in the Recover phase of the NIST framework.

 

Conclusion: Responding to Cyber Risks in SMBs Using the NIST Framework

You can “respond” to a cyber incident and you can Respond to a cybersecurity incident. The difference being IT cowboy or IT team with a plan. You have put layers of cybersecurity protection and detection in place but inevitably there is a security breach that could not be blocked. At that point, you need to respond to the incident and do it in a very crisp manner before the incident escalates and/or causes extended downtime. You really need an IT team with a plan.

 

Patrick Giatomosso
Cyber Security Leader
Patrick is Waident’s cybersecurity leader and manages NIST and Compliance for both clients and Waident.  A tech at heart and businessman in mind, he focuses on improving clients’ security posture and enhancing Waident’s Helpdesk support.

Related posts

IT Support is NOT IT Security

IT Support is NOT IT Security

I hear all too often from business leaders who think their IT Support team and their Security team are synonymous. They just assume that Support addresses all of their security needs by default. After all, the IT Support gang has been managing the anti-virus software...

Recovering from Cyber Risks in SMBs Using the NIST Framework

Recovering from Cyber Risks in SMBs Using the NIST Framework

A ransomware attack happens every 11 seconds. In 40% of companies that get hacked, the same organization is hit again within 9 months. I don't share that to scare you (Although, it should get your attention.) It happens because companies think they have addressed and...

Detecting Cyber Risks in SMBs Using the NIST Framework

Detecting Cyber Risks in SMBs Using the NIST Framework

You have been following the NIST framework and have successfully identified the areas of risk and implemented protections against them. We're now at the stage to ensure that we are able to detect any breaches that make it over the proverbial "wall." This is a CRITICAL...

Share This