In the event of a security emergency, a fast, well-considered reaction is essential – the incident response. What does this involve? Find out here. We also provide a few concrete tips on how to optimize it.
First things first: We hope you never need an incident response. But as with all emergencies, cyber emergencies can be better managed if you are well prepared. We would like to contribute to this with this article.
If you know what to do and have already made arrangements for your incident response, your organization can return to productive business more quickly in the event of an emergency. Plus, in the rush and confusion of a cyber emergency, you will be able to stay calm, act more thoughtfully, and provide guidance to others.
Especially important: The right, specialized contacts
Cybercriminals often intrude deeply into the system they attack. For example, they execute a very comprehensive ransomware attack in order to give their victims no choice but to pay the demanded ransom. Or they prepare to be able to attack again after an incomplete removal of the malware. Therefore, we strongly recommend calling in appropriately specialized cybersecurity or IT forensics experts in the event of a cyber emergency.
Basic considerations for your company’s incident response
You are best placed to assess how important a good incident response is for your company. What damage would a cyber emergency cause? For example: If all computers, servers, printers and other systems such as computer-controlled production lines fail. If you can no longer access your customer data or incoming orders no longer arrive in your system. What impact would your company then have to reckon with?
These considerations are rarely pleasant. But on their basis, responsible decisions can be made with regard to incident response. At the same time, these considerations help you to identify data and systems that are particularly worthy of protection.
This is how an incident response works
Good incident response occurs in three phases: before a cyber emergency, during an acute incident, and after a cyber emergency. The first phase is particularly important. This is because all further measures build on it.
Phase 1: Measures before a cyber emergency
This phase has a huge advantage: there is no time pressure. You can review and optimize your plans and procedures at your own pace. Ideally, you will already be supported by specialized experts from the field of cybersecurity or IT forensics.
The key question here is: How can damage caused by a cyber attack best be avoided or reduced? The respective measures must of course be adapted to the specifics of your company. Many of them also have a preventive effect, i.e., they can avoid cyber emergencies.
Typical measures include:
- Optimization of the company’s IT structure to specifically protect sensitive areas
- Technical review of servers and networks for security gaps
- Minimization of organizational security gaps, e.g., due to devices used for business and private purposes
- Employee training on cybersecurity and how to behave in cyber emergencies.
An emergency plan for fast, structured responses in the event of an emergency
An emergency contact list with, among others, cybersecurity or IT forensics experts
A back-up strategy that takes into account, among other things, data loss due to ransomware
Phase 2: Measures in acute cases
In the event of an emergency, things have to happen quickly. Because cyber emergencies often cause production stops. But: Many hackers rely precisely on this time pressure and “hide” parts of their malware in the system so that they are difficult to find. Therefore, thoroughness is also crucial in an acute case.
Key measures of incident response in acute situations:
- Analysis of which systems are infected, with which malware, what damage already exists.
Checking how the malware entered the system and whether other, perhaps still inactive components are present
- Closing security gaps, including those caused by the malware itself
- Removal of the malware
- Restoration of lost data, e.g. via back-up
Phase 3: Measures after a cyber emergency
A cyber emergency must be documented and, in most cases, reported to the appropriate authorities. It may also affect your customers or partner companies – who you must then inform. Last but not least, a cyber emergency shows you where your company’s cybersecurity should be improved.
Common actions following a cyber emergency include:
- Documentation of the incident
- If necessary, report to the relevant authorities
- Notification of insurance company, if applicable
- Notification of affected parties, if applicable, e.g. if customer data could be accessed
- Optimization of cyber security through technical measures and training for employees
Our top 3 tips for your incident response
- Get started. Define: Who is in charge of incident response in your company? Talk it over with the responsible person or department. If necessary, contact external cybersecurity or IT forensics experts and arrange a consultation appointment (often free of charge).
- Reduce one of your biggest cyber risks. Improve phishing awareness in your organization. After all, a legitimate-looking email with a malicious attachment or link is quickly clicked in the busy workday. How quickly? Perseus offers you a free test of how vulnerable your company is to phishing attacks. Based on this, you can plan further steps.
- Secure your data with backups. Cyber emergencies, such as those caused by ransomware, can lead to major data losses. The more up-to-date your backed-up data is, the better. IMPORTANT: Always keep at least one back-up inaccessible from your system. For example, on an external, unplugged hard drive. In many attacks, backups are specifically searched for in the system and destroyed or encrypted.
Do you have a cyber emergency or would you like to optimize your incident response with us? Then contact our experts at Perseus.
Would you like to take a closer look at the topic of incident response? Then why not request our free guide “What to do in a cyber emergency”? You will find much more information than you can fit into one blog article.