Cyber-attacks of varying intensity and type occur every day, and will continue to rise in number year by year. With a significant proportion of the global workforce (56 per cent) working remotely in 2021, the year was marked by a record-breaking upsurge of cyber-attacks. To go into detail, corporate networks experienced 50 per cent more attacks weekly in 2021 than in 2020. At the peak of this growth in cybercriminal activity, an average organisation would have faced 925 cyber threats a week, internationally. Besides the widespread transition to remote working, the Apache Log4j vulnerability was also a significant contributor to the rise in cyber-attacks last year. Unfortunately, this upward trend in cybercrime is set to increase in 2022, if the numbers from the year’s first quarter are anything to go by.
More than just a scare, these dramatic figures are a serious reminder that organisations must take proactive and deliberate steps to improve their cybersecurity posture. And indispensable to this great effort is the development of a robust cyber incident response plan. Hence, we have briefly outlined below what a cyber incident response plan is exactly, what it entails, and the pitfalls to avoid when developing one such plan for your organisation.
A cyber incident response plan is an important and comprehensive guideline that allows organisations to efficiently and effectively manage and mitigate a cyber incident, minimising the losses such an event would incur. Without a cyber incident response plan, organisations can only strategise appropriate responses after a cyber-attack has been detected, wasting valuable time and allowing hackers to escalate system damages.
A cyber incident response plan must include all the necessary information to advise and direct an organisation and its cyber incident response team on how to react to an incident. With that said, it should include the following content:
● Criteria for the enterprise’s characterisation of an incident.
● Details of the personnel responsible for conducting forensics and analysis.
● Details of the personnel to contact and involve in the incident response procedures.
● Techniques used for evidence preservation and collection.
● Explicit procedures for service restoration.
● All the applicable legal and regulatory requirements.
Neglecting to include any of this vital information in one’s cyber incident response plan may lead to dire shortcomings in one’s efforts to combat cyber-attacks.
It is a false economy to be parsimonious when channelling resources into making incident plans. The absence of a proper plan due to insufficient investment can ultimately lead to higher costs once an incident occurs and organisations must race against the clock to find reliable cybersecurity services in Singapore.
One key investment for an effective plan is having an incident response retainer with a reputable and certified cybersecurity firm from the very start. An incident response retainer is a service agreement that allows organisations to gain external assistance in managing cybersecurity incidents. It is a more cost-effective and prudent way to reduce the risks and losses of cyber-attacks. Through a retainer, organisations receive assistance in the form of not just preparing and planning for attacks, but also classifying, containing, and eliminating threats. Apart from establishing a beneficial long-term professional relationship, retainers also set clear standards and expectations of service for an organisation’s cybersecurity consultants and enable the organisation to act immediately when incidents arise.
Furthermore, it is advisable for companies to research which cybersecurity agencies best fit their needs for an incident response consultant. They should look out for a consultant who has proven experience in cyber incident response, is available 24/7 remotely or on-site and is able to cost-effectively fulfil their requirements.
It is natural for any company to want to immediately wipe and rebuild systems which are infected. After all, ensuring the smooth resumption of business operations is usually the top priority. However, erasing system data to eliminate malware is equivalent to destroying the evidence required by cyber incident response teams to do their jobs. By immediately shutting down infected devices, other important evidence like compromised files on the operating system (OS) and communication with hacker IP addresses is also removed.
Therefore, a stronger response plan seeks to fully understand the type of cyber threat faced, preserve the necessary information, before finally restoring the impacted systems.
A clear understanding of one’s security protocols, defence tools, and cloud and on-premises environments is foundational to a successful incident response plan. Adding on to this, an organisation must take the time to distinguish the sources of logging and digital evidence available in their environments, their retention periods, and their method of retrieval.
By documenting this critical information, organisations can readily share it with cybersecurity personnel at the right time and support incident investigation efforts such that the nature of any given incident can be quickly classified. Insufficient knowledge or records about one’s technological environment could slow down and raise the costs of an investigation, since incident responders would have to track down such information themselves. This extra work adds to their fees and the time attackers can spend on causing more system and operational disruptions.
Back-ups are crucial for organisations to recover from cyber-attacks that involve data breaches, especially for ransomware infections. Therefore, it is essential to inspect data back-ups periodically to ensure that they are well-functioning. In addition, organisations should regularly assess the restore speed of a complete system back-up to guarantee a swift recovery is feasible for all incidents encountered.
If organisations engage cloud computing or other third-party services to provide a secondary storage solution for their data, they will find difficulty in directly testing this type of data back-up. In this case, they should ensure that incident response is included in their contracts with the providers of such services. With the right type of agreement, they can overcome the challenges of protecting and accessing forensic images of their emails, servers and other data which are stored remotely.
As malicious online activities continue to increase and become more sophisticated, organisations worldwide must do more to stay ahead of the threats and protect their assets and operations. To start, they should develop an effective cyber incident response plan and organise a capable cyber incident response team.
At GROUP8, we know how crucial it is to have a strong cybersecurity system in today’s digital age. To ensure modern organisations can safeguard their critical assets and be in control, we offer offensive-inspired defence solutions which cover the entire cybersecurity ecosystem, including phishing detection services, web application vulnerability scanning, CREST-certified pen test in Singapore, and many more. If you are looking for a trusted and industry-leading cybersecurity service provider, do email us at hello@group8.co.