Security Incident Response 101 for SMBs
Sooner or later, every organization will experience a cybersecurity incident. Cyber incidents occur at businesses of all sizes every day. Having a plan in place is the best way to be prepared for them. Even a very simple plan is better than having nothing in place in the event of a security incident. In this blog post, we will explain the most basic steps in incident response.
What is Incident Response?
Incident response is the organized, strategic approach a business takes to detect and manage a cyber security incident in ways that minimize damage, recovery time and costs. A cyber security incident is generally defined as any security breach or cyber-attack targeted towards your organization. This plan serves as a guide and includes a step-by-step process for handling different types of security incidents. Here’s a list of the most common types of attacks that impact businesses:
- Adversary-in-the-Middle Attack [link]
- Denial-of-Service (DOS) Attack
- Password Attack
- SQL Injection
- Brute Force
- Insider Threat
- Zero-Day Exploit
- Drive-by Download Attacks
- URL Manipulation
The exact number of steps in your plan will vary depending on the size and type of business, but the goal is to limit the impact of a security incident. Below are three of those basic steps:
Identify: This is often the first step and explains how to properly recognize if there is an actual cybersecurity incident or not.
Classify: This step aims to determine what systems or services are being affected because of the incident.
Respond: This step outlines how to contain the incident and what specific instructions are needed to restore operations.
In summary, the goals are to document the what, who, when, and how of the cyber incident. The first step of any cyber incident response is to report it, regardless of how insignificant the issue may appear to the appropriate members of your organization. Small incidents can become major issues if they are overlooked. Every employee plays an important role in responding to security incidents.
How to Create an Incident Response Plan
Creating an effective incident response plan takes planning and practice. Best practices include the following:
Develop a policy: A good incident response plan is a document and a guide that provides high-level incident-handling priorities, detection, investigation and containment procedures, recovery procedures, post-incident follow-up process, ongoing revisions and more. Every policy will differ from business to business.
Build an incident response team: All incident response plans need ‘people power’. Establish who will handle what responsibilities and ensure that those team members have adequate training.
Create playbooks: Document step-by-step instructions on what to do in specific scenarios.
Communication plan: How will your organization communicate an incident, even to those outside your organization. Consider the impact an incident could have on customers, the media, or even law enforcement.
Quickly responding to security incidents and proactive planning are key to minimizing the damage, cost, and recovery time of a successful attack. Concerned about your ability to effectively response to a cyber incident or do you require assistance in creating an Incident Response Plan? Our team of vCIOs and vCISOs can assist!