This is the last post of our series on how small organizations should prepare themselves against cyber incidents. We discussed about the first 2 phases so let’s jump to the 3rd phase which is about prepare. Prepare in this context means to build your capability to respond to a security incident and get back to business.
As a reminded hereby the 3 phases:
Now, let’s focus on prepare, this phase is crucial, since it doesn’t matter how well protected you are, your organization can (I hope not) always be victim of a cyber-attack. Therefore, making sure that you are well prepared to respond to an incident and reduce the time to get back to a normal situation will drastically enhance your security posture and the reduce the impact of such an event.
As you probably understood, in this phase we need to make sure that we have backups and a crisis plan to make sure that in case of the incident the right persons will be involved at the right moment and that we recover the systems as soon as possible.
Backup
Managing backups is always considered as a dauting task, costly and not necessary in the normal operations. However, once you experience a security incident you will quickly realize that your investments worth it and that it will help you to get your business back in order. And especially nowadays where ransomware can encrypt your systems and hold data for ransom.
So, what are the most important aspects in this domain:
- Perform regular and automated backups of your systems; whether it’s on daily or on a weekly basis, it all depends on the risks you are willing to take (I.e. would it be acceptable to lose one week of data in case you need to restore a week-old backup). Obviously, a different scheduling/frequency should be considered based on the business criticality of the systems.
- As much as possible, store your backups on an offline device, meaning not accessible on the network (back in the days, tapes were a good option for that), to ensure that your backups will not be compromised by the security incident.
- Monitor your backups, nothing is worst that trying to restore a backup and discover that the process fails for the last 6 months and that you are not able to recover as expected.
- This leads to this last point: test the restore, make a nice procedure (or if needed, one procedure per system) and test it on a regular basis. During a security incident people often are running like chicken with no head, so having a well-known and tested procedure will reduce the pressure and the time to get back to business
Crisis plan
To manage an incident efficiently, considering the stress level that comes with such event, you’d better prepare a crisis plan. This plan consists of knowing the roles and responsibilities of the different resources that should be involved (mainly IT people) even from Third Parties before such event occurs.
So, what you should prepare in your crisis plan:
- Identify who in the organization will take the lead in such circumstances;
- Have contact information from IT staff/ Third Parties;
- List the external contacts who could help your organization (eg. Insurance, security consultants);
- Understand your obligations in case of data breach and the contact of authorities that should be informed;
- Eventually a communication plan towards your customers.
Conclusion
As promised in the first article of this series, the goal was to provide you with the basic actions for addressing the most common threats and vulnerabilities and for setting up the foundation to increase the security posture of your organization. To paraphrase the last statement, I would say that you should consider this series as a kind of check list for setting up the foundations for securing your organization, obviously this is not exhaustive and it doesn’t cover into the details all you need to do, but if you take the time to reflect on each point discussed you will probably find what needs to be done and chose your battles.
Don’t forget that security incidents don’t only happen to others and that, especially for small organization, a security incident can have a huge impact on the future of your organization. And in case of doubt, you will always find a security partner willing to help.