Do Your Best, but Plan For the Worst
In the previous article, we discussed why we can’t guarantee complete protection from cyberattacks, and how the best way to deal with this fact is to first recognize it, then act on it while also implementing the first phase of the cyber incident life cycle – preparation. As a result, the top ten recommendations for preparing for a cyber incident are as follows:
IRP (Incident Response Plan)
Create and maintain an incident response plan that is tailored to your company’s needs. Be as detailed as possible about the activities that must be carried out in the event of a cyberattack, and define how to categorize cyber incidents’ severity levels and the actions required at each level. Keep a few hard copies of the IRP on hand in case the cyberattack disrupts the digital copy availability.
BCP (Business Continuity Plan)
Create and maintain a BCP document that includes a BIA (Business Impact Analysis) that is consistent with your business logic. Include proper asset mapping, asset criticality, and other factors such as RTO (Recovery Time Objective) and RPO (Recovery Point Objective). An accurate and detailed BCP is critical for analyzing the business impact of events and designing better recovery strategies.
Sign a Contract With a Reputable IR Company
Make certain that your company enters into an IR (Incident Response) retainer contract with a predefined SLA that meets your company’s BCP with a professional IR company. Ensure that the IR provider has the necessary experience and expertise with your technological stack and infrastructure (e.g. cloud-based, on-premise and other parameters). Make certain that the contract includes a comprehensive site review for IR incident readiness assessment, which is updated every 6 months, so that your IR provider is well acquainted with your structure and business processes in advance, rather than during the incident itself.
Execute Cyber Drills
Plan and carry out cyber drills for both the IT department and senior management. Put your playbooks, procedures, and expertise to the test during these drills to ensure you’re ready for the real thing. Conduct cyber drills at regular intervals based on your organization’s readiness, maturity, and previous drill results, but at least once a year.
Examine Your Company Logs
Ensure that all of the organization’s digital assets are properly logging, that log retention is at least one year, that logs are communicated to a centralized system (ideally a SIEM system), and that logs are protected from deletion and tempering.
Always Have Multiple Backup Methods on Hand
Backup all of your critical assets to support the BCP’s indicators, and protect them properly with network-layer protection, strict access permission, encryption at rest, and, if possible, multi-factor authentication (MFA). Don’t forget to test your offline backups to ensure they can be restored properly when needed.
Implementing a Number of Advanced Systems
Implement advanced cyber security systems such as XDR (Extended Detection and Response), SOAR (Security Orchestration, Automation, and Response), UBA (User Behavior Analysis), NBA (Network Anomaly Detection), and others to detect and respond to threats, as well as to centrally execute digital forensic activities.
Investigate Legal Implications Ahead of Time
In order to minimize legal ramifications for your company, you must research and document who your company needs to notify in the event of a major cyberattack or data breach, what needs to be reported, and when it needs to be reported.
Handling of the Press and Media
Create and define the company’s media statements, such as which announcements will be made, on what platform, at what stage of the incident, by whom, and whether dedicated training is required.
Build a cyberattack-ready architecture to properly isolate the propagation of malware by threat actors within your network.