How should you respond to a cyber incident?
No business or organization can be 100% certain it won’t be hacked. That's why every business should have an incident response plan that lays down what should be done in case of an incident.
This past year, 56% of Belgian businesses were confronted with one or more forms of cybercrime. It's not a question of if but when your business will have to deal with a cyber incident.
Good preparation, in the form of an incident response plan, can help limit the impact of an incident.
Draw up a plan
- An incident response plan describes all the activities which are needed to run an organization, and the IT infrastructure required for those activities.
- You must make an inventory of all devices, applications, databases, network connections, servers and security devices. A clear network diagram will help you act quickly during an incident.
- On the basis of this inventory, you can immediately make a risk analysis. What infrastructure is indispensable for your business operations and what is less essential? In case of an incident, the restoration of essential infrastructure will of course take priority.
Set up a team
The incident response plan also describes the team that will handle the incident. Define who will be the internal contact person for cybersecurity incidents, and how that person can be reached (also designate a back-up for the holiday periods).
The plan indicates who in the company is responsible for repairing the infrastructure. If you work with external partners, their contact details should also be in the plan.
The incident response team should have the adequate tools. Even if the company network fails completely, the team should be able to get started.
So, provide back-up systems (laptops) which they can use, with all the information and procedures the team will need to do their work.
Get external assistance
In case of a cybersecurity incident, it’s understandable that you should want to get your infrastructure up and running as quickly as possible.
However, it is important that no traces are lost that could lead to the culprits. It’s not a good idea to quickly pull the plug on all your systems. It’s also a bad idea to restore a system using a back-up if you’re not sure that the back-up itself is not infected.
So, it's better to get help from external partners with experience in cybersecurity incidents.
They will work in a forensic way so that all the evidence is preserved. What’s more, they have tools which your company may not have to locate evidence.
- Once the investigation is complete, you can remove the remaining threats and seal all the vulnerabilities that the hackers exploited. For this too, you sometimes need external help.
- Once you are sure that all malicious codes have been removed, you can restore the systems to their normal condition and recover any data that was lost.
- Depending on the nature and scale of the breach, this can be a complex and time-consuming process. It isn’t possible to define the exact procedure in advance but, thanks to the incident response plan, the priorities are already established.
Read more on how to protect your company
Interested in sparring with us on how to establish a more pro-active & integrated approach to ICT Security?