WATCH The Importance of A Cybersecurity Incident Management Process CIMP – Day 16 of Cybersecurity Awareness Month
Shelly Miller
It seems like every time we turn on the news, we hear about a ransomware attack or a breach on government or a public entity. And we need to know how, what is this? And why does it matter to our companies? And how can we guard against these cyber attacks? So we have Craig Taylor here today of CyberHoot, and we’re hoping that he can answer this question for us.
Craig Taylor
Thank you, Shelly. Yeah, you’re absolutely right. You can’t turn on the news these days without a breach. In fact, as we’re recording this, we hear about Facebook being down and some other big companies being down and offline today, though, there’s been no explanation. The FBI has two sayings or a saying that goes like this. And it’s quite common in the cybersecurity industry. But it might be a surprise to your business owners and your MSPs out there.
They say there are two types of companies in the world. The first kind of company is those that know they’ve been breached. The second kind of company is those that don’t know they’ve been breached. There’s an inevitability that the FBI has a view on small to medium sized businesses and MSPs that at some point in your existence, you will be breached. Cyber, who tends to be a little bit more forgiving than the FBI that says everyone’s been breached, we sort of think that there’s a lot of you out there that might not have been breached yet. But preparing for that inevitability is so important. And that’s why we’re here today to talk about cybersecurity incident management processes, the organized reproducible methodology to handling a breach consistently time after time. And it’s very important.
Shelly Miller
Okay, so preparing ahead of time by creating this plan is the key. Yes. So what goes into an incident response plan?
Craig Taylor
That’s a great question, Shelly. And at the beginning, we have this slide to share with you and it goes through the five stages of a breach handling of a breach from identification. A lot of times I’ve taken more false positive escalations on a potential breach in my lifetime than legitimate breaches. And so identification is confirming that a breach has occurred and what extent the damages or possible potential issues are, that all happens in the very first phase of identification.
Once you rule something is a breach and you say yes, we know that we’ve been impacted by malware ransomware hacker is on our systems or our website is down whatever the case may be, you immediately move into containment that is containing the breach from getting worse from spreading beyond the systems that it’s impacting initially. From there, once you have containment, then you need to eradicate the infection in the site, or the computers or the network, that you’ve contained that infection or that breach in within.
So eradicating, stamping out the breach removing infected systems from the network so they can be rebuilt, cleansing the network, and putting things back together. Once you’ve removed the breach, from there, from eradication, you move to step four is recovery, bringing these systems back online testing that they come online properly. This is a key part of having the plan in place ahead of time. Because sometimes, there’s an order of operation to how you need to bring on first you bring up the database, then you bring up the middleware, then you bring up the website, if you do it in the wrong order, nothing works.
So you need to have these things orchestrated. Finally, there’s a step five, that often gets forgotten because everybody breathes a sigh of relief, everything’s back up and running. But you’re missing out on a really important opportunity to improve that Step five, is the revision phase or root cause analysis? Where did we go wrong? How did we make this mistake? How did this breach occur? And how do we prevent it from happening again? What are the opportunities for us to improve to make ourselves better? Maybe it’s in our documentation. Maybe it’s in our technology stack. Maybe it’s in educating our employee who clicked on a malicious link of some kind. So that in a nutshell, is the five steps of a cyber incident management plan that every company needs to have ahead of time. Preparing ahead is so helpful.
Shelly Miller
Oh, great advice. Great advice. So does every company need a cyber incident management plan?
Craig Taylor
You know, Shelly? That’s a great question, because I sure there’s a lot of folks listening to this that might think are too small. I only have 25 employees. That’s for enterprises in the 1000s of employees. Well, did you know that the latest statistics from Verizon, they do a data breach report every year, and they claim in their data breach, and this is based on as many data points as they can get 1000s and 1000s, that if you’re an SMB, or an MSP with 10 or 11 employees to 100 that you’re 15 times more likely to be attacked successfully in breach than a larger company and a smaller company with fewer than 10 employees. So the answer to that question, Shelly is 100% affirmative. You must have a security cybersecurity incident management plan in place and tested and exercised.
So that you know how to react in the pressure of a security incident. You have the right people making decisions on like, who has permission to take our website down, because we’re actually still having customers visit us. But we need to take it offline to rebuild it because it’s been compromised or defaced or what have you. So yes, every company needs it, especially MSPs because they’re dealing with breaches at many of their clients, and they need to be intelligent, thoughtful and have a reproducible process each time they go through.
Shelly Miller
Okay, so all MSPs and SMBs need a cybersecurity incident management plan, and they need to make sure it’s tested. And it’s inacted before the breach happens. Yes, exactly. in cyber who helped companies with this,
Craig Taylor
Actually, that’s one of our sweet spots. Thanks for asking. We have a series of VCISOs, our virtual chief information security officers and the templates that go with it to create your Cybersecurity Incident Management Plan, using best practices out of NIST and experience and all of that, yes, we’re absolutely able to help companies with this
