This week David rounded out his 2020 engagement with the College of Law's Centre for Legal Innovation and their Legalprenuers Lab with a webinar covering Incident Response and Insurance.
Once again, David was joined by WatchGuard's Matthew See for this webinar and offered an insight into the impact of cyber security incidents and what you can do to minimise the impact if your organisation is ever hit.
Cyber Incident Response
FortiTech recommend undertaking these 5 steps on the road to recovery after a cyber incident, whether that be caused by a phishing attack, malicious software or insider threats:
- Immediate Containment
- Assess the Incident
- Appropriate Notification
- Systems Recovery
- Post Incident Review
Lets cover these a bit more below:
Step 1 - Immediate containment
It's time to run through what you can do immediately to contain the incident
Let your IT team know
Whether your IT support team is internal or external, ringing them to let them know there is an issue should be your first step
Containment
Consider if there is a way you can contain the breach by unplugging a network cable or turning off the device if the incident is
on a single computer?
Change passwords if it is a phishing attempt
Currently, it is 19 minutes from loss of a password before it is used in an attack, so swift action is critical.
Convene your team
Suspicion of an incident is a trigger to initiate your Incident Response plan immediately and to convene your Incident Response team
to begin the process
Step 2 - Assess the incident
Gather the facts and evaluate the risks
What has been affected?
Gather evidence – create logs and other data to evaluate the impact
Where possible, take any immediate actions to limit further harm.
What other systems are involved?
Use your asset lists to track the impact
Don’t forget any cloud services too, they may also be affected
Even if you are unsure a system has been affected, treat it as if it has.
Has data been accessed / taken?
Confirm who had access to the data and how
Assess the potential harm to affected individuals
Step 3 – Appropriate Notification
Notify those who need to know
Bring up your communications plan
Follow your communications plan to ensure you have covered off the:
- Who
- What
- To Whom and
- Where
Internal Stakeholders
Notify internal stakeholders such as:
Board
Managers
Staff
External Stakeholders
Office of the Australian Information Commissioner (if required)
Your Insurance provider to start a claim
Any law enforcement and government departments (as required)
Those individuals affected by the incident (as required)
Communications Tip 
Only those responsible for communication for the incident should be providing any information to internal or external parties. This gives a single voice and protects the organisation from reputational damage.
Step 4 - Systems Recovery
Get things back up and running again
Remediate
Remediate any damage using appropriate post breach tools
Clean all systems suspected or likely to have been breached
Rebuild systems & recover dataRecover data from backups
Completely rebuild systems from scratch should they need that to ensure they are safe
Change credentialsDon’t forget, it takes on average 19 minutes from loss of a password before it is used in an attack
Implement multifactor authentication
Remove dormant accounts
Step 5 – Post Incident Review
Review the incident and consider what actions can be taken to prevent future incidents.
Adjust your policies
Review your policies to ensure they cover the breach and adjust as appropriate to ensure moving forward they are relevant.
Adjust your Procedures
Make sure existing procedures will mitigate any risks to business systems and data and implement new processes to ensure the business
will be protected from future incidents.
Educate your staffEducate staff on what went wrong, why it happened and what they can do to help prevent it in the future.
Having staff who can help protect your business increases the chance incidents are caught earlier and resolved with less damage and faster.
We have covered Cyber liability insurance in another of our blogs so we won't rehash it too much here, but it is safe to say that having a suitable policy for your organisation will make a significant difference to your rate of recovery should you be hit by a cyber incident, we recommend that you consider the following points when weighing up which policy is right for your business:
- Data loss and restoration including decontamination and recovery
- Business interruption loss due to a network security failure or attack, human errors, or programming errors. Incident response and investigation costs
- Delay, disruption, and acceleration costs from a business interruption event
- Crisis communications and reputational mitigation expenses
- Liability arising from failure to maintain confidentiality of data
- Liability arising from unauthorised use of your network
- Network or data extortion / blackmail (where insurable)
- Online media liability
- Regulatory investigations expenses
- Make sure your policy covers for both 1st party and 3rd party losses.
While responding to a cyber incident is certainly the last thing an organisation wants to be faced with it is essential to ensure you have the right processes and policies in place should it ever occur, we trust that this blog has been a stepping stone to educating our readers on what to do when faced with such a matter, for more on how to protect your organisation from cyber threats, why not check out the rest of David's previous Cyber Security talks held during 2020:
- Security Assessments and Technology Policy
- Passwords and Multifactor Authentication
- Protecting data for remote users
- Business continuity and backup
- Firewalls and next generation AV
- Detecting and Tracking Events
- Setting your practice up for success
- Patching and the Internet of Things (IoT)
- Dark Web Scanning and Security Awareness Training
- Email Antispam