Blog / Cyber Security Newsletter: The Incident Response Plan
Having an Incident Response plan (IRP) is important for any business. You need to have a plan for dealing with big issues (like ransomware) beforehand. Making it up as you go along is a great way to ensure that you make mistakes.
In a lot of cases the majority of effort is focused on getting everything back to normal. For example, think of a break in; afterwards, most of the recovery effort goes into fixing any damage, finding out what was taken, and restoring normal operations. After that, everyone forgets that anything happened as things go back to normal.
While it’s fine to try and make sure the overall impact is minimized, it’s important not to overlook the most important reason for all this work in the first place; someone broke in and you need to keep it from happening again. For a physical break in you locate the point of entry and find ways of addressing or mitigating it (alarm systems, cameras, reinforced glass, bars, etc.). Along the way you may find other weaknesses, in which case adding several new defenses at the same time may be a good idea. You need to treat your computers in exactly the same way.
Think about a ransomware infection (currently the most common form of attack out there). Having a strategy in your organization that specifically covers ransomware is a good idea. I’ve done multiple newsletters on ransomware so I won’t go into detail but your defenses should include (at a minimum):
- – backups,
- – periodic verification of backup integrity,
- – periodic testing of backup restore procedures,
- – anti-malware software, and
- – ransomware detection software.
Anti-malware software and ransomware software can be one and the same. However it’s worth mentioning that not all anti-malware detection software includes generic ransomware behavior detection. Having an official plan also means making sure that someone is responsible for completing these tasks on a regular basis.
In addition to your defenses, your strategy also needs to include dealing with an actual ransomware infection. Never assume your defenses are perfect and such a thing could never happen. Verifying backups and testing restore procedures are just part of the inherent truth that no one’s defenses are perfect. So what else do you need to do?
If you get infected with ransomware (or a virus, or get hacked etc.), you need to figure out how it happened so you can keep it from happening again. Part of that means looking for how the attack happened from the very beginning, just like a physical break in.
If someone breaks one your windows, climbs inside and steals a bunch of stuff you don’t simply fix the broken window and hope/pray that it never happens again. So don’t take this approach with your cybersecurity. Investigate the chain of events that allowed the breach and do what you can to prevent a reoccurrence. It really is the most important part of the whole process.
Not learning from your mistakes can be summarized by listening to Macbeth when he says “It is a tale; Full of sound and fury, signifying nothing”.
If you have any questions about Monitoring Your Computer Equipment, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.