Since it’s almost certain that every organization will experience a cyber security incident at some time, you need to be well prepared in advance.
According to the 2013 Verizon Data Breach report, 22 organizations, mainly in manufacturing and professional services, with only one to 100 employees became a victim to cyber espionage last year. And 23 firms, mainly in manufacturing with 101 to 1,000 employees, also were breached.
If you don’t have a Computer Incident Response Plan (CIRP), resolving an incident will be much more difficult on your company and much more expensive. Because the longer you wait to eradicate a threat, the more time the intruders have to steal valuable information on you and your customers, and to make fraudulent wire transfers from your banking accounts.
The most successful CIRPs have been validated by outside incident response security consultants who have reviewed the plan, watched you rehearse it thoroughly in “tabletop exercises,” and helped you revise it as needed.
A CIRP covers the handling of an incident from the moment it is noticed to the conclusion of the incident. Like a disaster recovery plan, a CIRP is a management function, which means that management should be part of the planning team that develops the plan. Management needs to work with IT to discuss the organization’s top concerns—such as payment systems, member data, and email access—to decide which systems are most critical to get back online first and which need double layers of protection.
To implement a CIRP, you will need to have a map of where every piece of technology equipment you have is located. You should also already have controls and policies set in place to help prevent an incident. With the right preventive and detective controls in place, including continuous network monitoring, you can normally stop an incident in its tracks before it spreads to your most valuable servers.
Your CIRP should define “an incident” and categorize possible incidents to help create an action plan. For example, categories could include the following: malware, suspicious activity seen from monitoring logs and networks, lost or stolen computers and equipment, hijacking your domain, third-party vendor mistakes, SPAM, theft of IP, intentional destruction of data, hackers and espionage.