Understanding Cyber Incidents And How To Respond

The scariest thing about a cyber attack on a business is that often employees and owners have no idea they’ve been breached until an outside party (a credit card brand, Federal investigators, or even consumers) brings it to their attention.

There are two types of incidents – suspected and confirmed. A suspected incident is known as an event, events are elevated to incidents once confirmed.

When dealing with either one, advance preparation is critical to minimize the impact. Assigning key roles, developing a plan and educating employees are all steps to take before you need to respond to a breach.

Once there is an incident, or a breach, to respond to, you’ll need to verify and identify what type of incident occurred.

An incident may be:

  • a violation of security policies and standards
  • unauthorized access
  • loss of information confidentiality
  • loss of information availability
  • compromise of information integrity
  • a denial of service condition against data, network or computer
  • misuse of service, systems or information
  • physical or logical damage to systems
  • social engineering
  • propagation of malicious code (viruses)

Upon verification that a data breach incident has occurred, the Incident Manager should be notified or assigned. The first two actions the Incident Manager will take include implementing the organization’s Incident Response plan (if you are thinking as you read this that you do NOT have a plan, contact us today for help getting that pulled together), then assemble the Incident Response Team. An Incident Response Team should include the key internal staff members needed to deal with the breach, legal counsel, a cybersecurity firm with incident response experience and a crisis communications firm to assist with the internal and external communication and notification.

The Incident Manager and the team will take the following steps (detailed processes associated with these steps should be contained in your Data Breach / Incident Response plan):

  1. Contain the breach and identify the severity and impact to the business.
  2. Notify and coordinate with the organization’s legal representation in order to ensure the organization’s legal concerns and requirements are met.
  3. The Incident Response team will collect and safeguard information from compromised computers. Evidence media and printouts need to be created and securely stored using chain of custody procedures and documentation.
  4. Communications regarding the incident, whether to employees or externally will be coordinated by the Incident Manager in conjunction with the organization’s leadership, legal representation and a crisis communications firm. It is critical that communications be controlled and with legal oversight in order to ensure accuracy and compliance with applicable notification laws.
  5. Affected systems and devices will need to be restored by eradicating the threat and restoring them to a safe operational status. Eradication and clean-up activity must be documented and chain of custody logs must be maintained.
  6. Upon completion, the Incident Manager will ensure the organization’s leadership is debriefed on the incident. The debriefing will also include recommended process improvements to prevent and deter similar incidents from happening again.

Need help responding to a data breach, or creating an Incident Response Plan and a team? Contact Sera-Brynn at 757-243-1257.