Is your organization prepared to handle a cybersecurity attack? Many security experts agree that it is not a matter of if but when a company will experience a cyber incident. Developing an Incident Response Plan is crucial to helping your organization respond to and recover from an attack. An incident response plan outlines the specific procedures and steps that should be taken to ensure minimal impact from a breach. Some common steps in an incident response plan are prepare, identify, contain, eradicate, recover, and follow-up.

Response

  1. Preparation/Prevention: The first step to responding is having measures in place ahead of time to help prevent and quickly detect an attack.
    • Antivirus, antispam, and antimalware software that regularly scan will aid in blocking attacks and identifying them.
    • Regularly backup data. This is especially important when you are dealing with ransomware.
    • Keep all software and systems updated to make them less penetrable.
    • Educate employees on cybersecurity awareness. Phishing is a common cause of security breaches.
    • Assign team members roles so that everyone knows their responsibilities.
  2. Identify: This stage involves monitoring, detecting, alerting, and reporting any suspicious activity. Once aware of a breach, time is valuable in determining the source.
  3. Contain: To minimize impact, the source of the attack should be disconnected from the network to keep from spreading to other devices.
  4. Eradicate: Ensure all traces of the problem are gone and eliminate what led to the incident.

Recovery

5. Recovery: This may include replacing hardware, updating security practices, or releasing a public statement. Address and prioritize any other vulnerabilities the organization’s security might have.

6. Follow-up: What went well and what didn’t? Reflect on what you have learned from this incident by keeping logs with details such as times, data compromised, and location.

Ransomware

When dealing specifically with ransomware, refer to these steps summarized in our blog, “How to Save Your Business from a Ransomware Attack.”

  1. Determine and disconnect the infected device.
  2. Determine if a decryptor is available. There are resources that can decrypt your data for you.
  3. Restore files from regular backups.
  4. Report the attack to the Internet Crime Complaint Center (IC3)
  5. Do not pay the ransom. There is no guarantee the cybercriminals will give you a decryptor key.

Overall, finding an incident response plan that works for your organization is essential. It is important to track every step of the process and try to improve it whenever possible.