Cyber security incidents
All firms are targets for cyberattack, with organised criminal gangs using automated means to search, indiscriminately, for vulnerabilities. Firms have a responsibility to increase their cybersecurity and business resilience.
The starting point is a proper cyber risk assessment of your vulnerabilities as regards your policies, technology, and people. The appropriate steps must then be taken to tackle them.
Firms should make themselves aware of the type of attacks which are taking place. They should of course prepare to defend themselves against them. But they must also prepare their emergency response arrangements to deal with a breach. This is why an incident response plan is such an important aspect of business resilience planning.
Common attacks include:
- Credential phishing attacks on employees which, if successful, typically lead to email account takeover.
- Attempts to gain unauthorised access to computer systems via staff connecting remotely to company information.
- Virus, ransomware or other security attacks on IT equipment systems or networks.
- Insider fraud where staff have access to confidential and commercial information.
- Denial of service attacks where critical web services are taken out of action and a ransom demanded.
Incident preparation and emergency response team
When you suffer an incident, you cannot afford to ‘wing it’. If you are not prepared, the potential for loss and disruption is increased.
Identify the critical services, data locations and third parties you rely upon. Consider the impact of losing them. How would you continue to operate? What would be your short term ‘work arounds’? Speed and effectiveness of communications with the people and organisations most affected, is crucial. What communications may be required and to whom?
Create an incident response team proportionate to the size and complexity of your firm (it may be one person). They will be responsible for coordinating damage limitation and incident investigation.
The team should complete the following actions in preparation for incidents:
1) Define the roles and responsibilities of team members.
2) Detail actions based on each type of incident such as a virus, hacker intrusion, data theft, system destruction, etc.
3) Review backup and recovery procedures.
4) Establish response guidelines by considering and discussing possible scenarios with employees.
Establish an emergency contact procedure. There should be one contact list with names listed by contact priority. Test the process to ensure it is effective.
If an incident occurs, you may need specialist help. Identify who that will be. Mitigo has been appointed as strategic security partner for a number of regulatory and professional bodies, including: the Law Society of England & Wales, the Law Society of Scotland, Personal Investment Management & Financial Advice Association, the Royal Institute of British Architects, Paradigm, Care England, and others.
Incident response
Here are some of the matters which must be addressed:
Please note this is not intended as a step by step user guide. If you suffer a breach, you should seek specialist advice.
Identification: verify whether an event is a security incident. A rapid triage is needed to understand what has happened and to filter out false positives.
Containment: isolate affected systems to prevent further damage (it is important to note that the machine displaying the symptom (for example) may only be the tip of the iceberg). This is a critical step which is almost always dealt with incorrectly. You must understand how the different types of attack happen in order to know how and what to isolate.
Elimination: find the source / root cause of the incident, to ensure it is removed from affected systems. You must prove that the attack has ended, and that any malicious software and connections have been removed. This needs to be done by someone with the right cybersecurity experience, otherwise two serious things frequently happen. First, the criminals are still in your system and accessing your data. Second, you will lose the footprint showing where the criminals have been and what data they have taken.
NB Ransom demands: if you are faced with a ransom demand, you should seek specialist help.
Categorisation and reporting: you must determine exactly what data or assets have been accessed or stolen. All breaches should be recorded. Review whether the matter should be reported to any of the ICO, your regulators, your bank, the police, your clients, your employees, your insurers and anyone else who may be affected. Revisit this as further information emerges.
Recovery: allow the affected systems back into normal operation after ensuring no threat remains. Ensure that increased monitoring and vigilance is in place.
Lessons learned: complete a post incident review to learn from the incident and improve future defences and response efforts.
Mitigo is a cyber security company – providing professional services firms with cyber risk management services. For more guidance on increasing your security and business resilience, you can call us on 0161 711 0201 or email info@mitigogroup.com