If you are in business today, then you worry about uncovering a security event. A security event means that IT notices a change in the everyday operation of your network. To be ready, every business needs a data security incident response plan (IRP), a written set of instructions that tells staff how to handle security violations or the failure of a security safeguard. If knowing what to include in your data security incident response plan isn’t a priority for you now, please read on to find out why you should make it a priority.
What makes up a security event?
There are several types of security events and your IRP should define what a security event means for your organization. The following are a few examples of security events:
- Data theft (deleted files, locked files, etc.)
- Damage to data or change of data by unauthorized personnel
- Theft of IT equipment like computers, printers, storage devices, mobile devices, etc.
- Damage to physical IT devices
- Denial of Service attacks on the website(s)
- Network infections by malware
- Attempted unauthorized access to the network or attempts to steal authentication/passwords
- Unauthorized changes to software, hardware, or network configuration
- Intrusion detection and responses to such alarms
- Any other unusual system behavior
Who can identify security events?
Any number of people may find themselves aware of a security event. Some people with knowledge to alert your IT team will have internal access; however, someone from outside the firm may let you know of a problem. The following are a few examples:
- Your network intrusion detection system
- A department manager
- Your security manager
- Your system administrator
- Your help desk
- A firewall administrator
- A business partner
- A client, customer, law enforcement, or another outside source
What should the IRP do?
The written IRP should give instructions to your IT security event response team on how to handle security breaches as they arise. Your organization should put in place policies and procedures that address IT data and information security, such as authentication protocols for access, passwords (both minimum length, alpha/numeric/characters, and mandatory updates), intrusion detection and firewalls, property inventory and control, data inventory and control, anti-virus protection, and software/OS protection and updates.
You want policies/procedures in place on data backup and recovery protocols before a security event occurs. For instance, does your firm still backup on discs, relying on staff to remember to do the task daily or weekly? If so, now is a good time to discuss whether you want to move to an automated backup system using virtual drives that make file and data recovery possible in a matter of minutes instead of days.
Step-up training for IT professionals as well as staff.
All staff should become familiar with security protocols and policies. IT staff should receive more training in identifying intrusion events and how to handle them.
Establish an incident response team and distribute the incident response team contacts to all staff members, with contacts listed in order of importance.
It’s important to plan for incident response procedures by brainstorming the types of incidents that may occur to your system. Discuss potential scenarios. Testing the incident response team monthly is critical so that when a cybercriminal compromises the network, your team knows exactly what to do.
Understand, too, that the question in today’s increasingly digital and connected world is “when” your network will face an intrusion, not “if”.
How does IT analyze and respond to an attack?
The following are key questions the response team must answer:
- Is it a real attack (as compared to a potential threat) and, if so, what data is under attack
- Is the data under attack critical data and will the attack have a critical effect on the organization
- Is the attack ongoing or complete
- If IT responds, will the attacker be aware of the response
- Does the attack need an emergency or critical response
- Can the response team contain the attack so it does not spread
Actions Going Forward
The IRP should contain actions that IT can take to stop the infection, quarantine IT assets and access points, and close ports where the intrusion occurred to prevent re-infection. The IRP should contain instructions on patching systems, closing entire systems until staff can re-install them from backups created before the infection, and disabling unused systems so hackers cannot use them as access points.
It is equally important to document the intrusion, the response, and how effective the response was. Review the response to decide if implementing a new procedure would avoid a future security event. Determine whether staff correctly followed the procedure that is in place. Note the lessons learned from the experience and make them a part of the response team’s file. Revise the procedures as required.