- An incident response plan helps ensure an orderly, defensible and effective response to all kinds of hacking or cybersecurity incidents, which in turn can help protect an organisation’s data, reputation and revenue recovery.
- Appropriate investment needs to be made in solutions that provide real-time, end-to-end visibility of the network.
- Organisations should look to bolster their collective skills and expertise by providing additional training to those working remotely.
Work-from-anywhere has gone from a less than commonplace benefit to completely ubiquitous business practice.
While this has allowed for business continuity, it brings with it a new host of challenges and concerns. Perhaps the most pressing of which is cybersecurity.
As part of the necessary adaptations to bolster cybersecurity surrounding work-from-anywhere, businesses are re-evaluating and implementing new incident response (IR) plans in the event of a cybersecurity breach, be it from cybercrime or a state-level cyberattack.
While it is a good sign that most businesses do have plans in place in the event of a breach, putting them into action and reacting in real-time is a separate issue entirely.
This is all the more pressing in the current climate where many of these IR plans for work-from-anywhere are yet to be tested.
For business leaders looking to ensure that their IR plans are more than just rhetoric and that their cybersecurity is ready for the demands of today’s climate, these concerns can be addressed with three questions: Am I already breached and unaware? How mature is my cybersecurity programme? Where can I improve, am I ready to prevent, respond and mitigate quickly enough to stop an incident from impacting my business/operation?
By measuring and testing your IR plans – as well as your wider security policies – against three benchmarks, businesses can quickly determine their preparedness, their ability to scale and mature, and what practices are in place for businesses to adapt existing plans to cover the ever-evolving threat landscape.
What is incident response?
It may be worth briefly defining what we mean by the incident response. IR is the systematic approach taken by an enterprise to prepare for, detect, contain and recover from a suspected cybersecurity breach.
An incident response plan helps ensure an orderly, defensible and effective response to all kinds of hacking or cybersecurity incidents, which in turn can help protect an organisation’s data, reputation and revenue recovery.
While this may sound dramatic, how an organisation responds to an incident can make a significant difference in the damage caused by a breach. It is never desirable to be the victim of a cyberattack, but the effects of an incident can be made significantly worse if an organisation fails to take appropriate steps to detect, investigate and remediate it quickly.
For instance, they may find themselves vulnerable to employee or shareholder lawsuits or penalties from regulators. They may also find that their insurance company will not accept their claim if they did not take certain predetermined steps.
This is complicated by the fact that work-from-anywhere has changed the networking environment – so businesses need to know how this affects their IR plans in detail.
Put your IR plan in place
The first step to any good IR is having wide visibility. This is imperative with work from anywhere as it is likely that personal devices are connecting to corporate services. End-to-end visibility across the network addresses this.
Covering all types of devices across the entire network and off it will reduce blind spots and provide the best context for all online activity. From this view, anomalous activity can be identified quickly and from here your IR plan can be better deployed.
The next step is to quickly identify the scope of the intrusion. Here the IR team assesses the situation by interviewing key stakeholders to gain real-time visibility into the targeted organisation’s network, devices and workloads.
This gives the IR team insights into the techniques being used by the attacker and helps them identify other potential vulnerabilities in case the attackers have multiple aims, or might not be alone – or might not be finished.
From here, the IR team will then closely monitor and restrict activity to prevent any further damage. As part of this containment, IR teams should ensure they preserve evidence of the breach to ensure understandability later on.
Finally, the team should investigate, documenting their findings to provide an overall view of the incident. This should encompass questions like: who is the attacker, what is their goal, when did they breach the network and how widespread is the damage?
It’s important to note that an IR plan’s value doesn’t end when an incident is over; it continues to provide support for successful litigation, audit documentation and historical knowledge to feed into the risk assessment process and improve the incident response process itself.
How mature is my security programme
Now that we’ve established what an IR plan should look like, businesses can ask how mature their security strategy is.
The first way to establish this is by reviewing what skills and expertise your organisation has in terms of cybersecurity, forensics and operations. These skills and expertise also need to be compared against the technology and tools in place.
Appropriate investment needs to be made in solutions that provide real-time, end-to-end visibility of the network.
For today’s networks that need to support work-from-anywhere, these technologies need even more careful consideration. Data is no longer contained in one place to defend.
Whereas traditional networks are designed to protect assets and devices that are located within the network, the challenge of supporting work-from-anywhere is that devices exist outside the corporate network. Instead of having the protection of the corporate firewall, employees connecting from home will be more exposed to malicious actors who have a greater attack surface on which to practice achieving their objectives.
This has been made abundantly clear by the success of relatively primitive phishing attacks using Covid-19 themed lures to attract victims into executing malware on their devices.
With these considerations in mind, organisations should look to bolster their collective skills and expertise by providing additional training to those working remotely.
This should cover basic skills like avoiding insecure public Wi-Fi and keeping work data to work devices, as well as more advanced considerations like encryption. New technologies may also prove of use in allowing for end-to-end visibility while working from remote locations.
Am I ready to properly mitigate risk?
Whether your organisation is truly ready to mitigate risk can’t be answered with a simple yes/ no. Evaluating the effectiveness of IR strategies needs a holistic look at the wider organisation to see how mature the compliments of the business are, how well they can work together.
That being said, the best way to position yourself to mitigate risk is by finding the weaknesses in the security framework and building them up.
Vulnerabilities in just a few locations, or just a few employees without the right skills, can be detrimental and leave the organisation at risk.
While organisations hope that they never need to put their IR plans into practice, should the day come they will be glad that they’ve prepared so that their training and preparedness make a molehill of action out of the mountain of risk looming above.
- Rawad Sarieddine is the Vice-President for the Middle East, Turkey and Africa at CrowdStrike.
Discover more from TechChannel News
Subscribe to get the latest posts sent to your email.
You must be logged in to post a comment.