Every day the media come up with news about cyber attacks, data leaks or ICT malfunctions caused by suspected cyber attacks. It turns out that organizations are often poorly prepared for such a cyber incident. This is unwise, because such incidents can cause enormous disruptions. Today, any organization can fall victim to a cyber attack due to exploited vulnerabilities in its own network or in those of software vendors. These are usually not specifically targeted at your organization, but in some cases the attacks do target a specific organization.
Prevention is always better, of course, but practice has shown that the threat is so varied in nature that as an organization you would do well to be prepared across the board for all possible scenarios. As a director or CEO, how do you ensure that your organization is well prepared for a cybersecurity incident? By developing an Incident Response strategy and plan.
What is Incident Response?
Incident Response is the process an organization uses to deal with an IT Security incident and its consequences. Four fundamental steps of Incident Response are:
- Step 1: Setting up technical preparation
- Step 2: Forming an Incident Response Team
- Step 3: Create Incident Response Plan
- Step 4: Training, practicing and learning
Step 1: Setting up technical preparation
In Incident Response, technical preparations are the starting point. For example, to build a forensic trail (digital trail) of an incident, it is necessary for all kinds of log files to go back as far as possible in time: at least three months, but preferably longer. These include the logs of firewalls, antivirus and malware packages, the Active Directory, Office365 and Windows events, among others. You can also activate and monitor detection technology already in your IT infrastructure.
Step 2: Forming an Incident Response Team
It is essential to bring together the staff who will take on the required tasks in an Incident Response team, which can also act as a task force for cyber incidents. This includes analyzing and monitoring threats, as well as coordinating during an IT Security incident. Make sure it is clear who the team members are, what responsibilities they have, and – perhaps most importantly – make sure they are properly trained and educated. Many organizations seek the assistance of a Computer Emergency Response Team from a specialized IT security company such as NFIR when IT security incidents occur.
Step 3: Create Incident Response Plan
Step 4: Training, practicing and learning
Make sure the plans are kept secure (preferably on paper), but are accessible to those who need to access them in the event of a cyber incident. Train Incident Response team members well in all aspects of their job. This can be done, for example, with NFIR’s Incident Readiness training . In addition, it is very important to practice incidents in a realistic way so that team members really start functioning as a team. These crisis simulations train the team to respond appropriately to incidents. This can be done at NFIR, for example, with an Incident Response Dry-run (simulation with “injects” of a successful ransomware attack).
Communicating is important
Effective communication is crucial in a cyber incident. This applies to internal and external communications.
Internal
When an employee suspects that an incident is occurring or there is a threat, that person must be able to raise the alarm quickly. Make sure your employees know how, and properly arrange for 24/7 reporting. Also, make sure it is clear who is communicating with external parties (such as an ICT vendor, cloud provider, the Personal Data Authority or, if necessary, a Computer Emergency Response Team). Make sure employees are aware of the hotline, scenarios and any other contacts. If employees know the plan exists, what it entails and how to report incidents, action can be taken quickly. Regular updates to your employees about a cyber incident and progress are also important.
External
Finally, good external spokesmanship on a cyber incident is essential. Every organization has stakeholders such as suppliers, customers and partners who have the right to be properly and timely informed about the possible consequences of a data breach and business continuity for them. Where possible, your organization will provide actionable advice to those affected by the IT Security Incident.
Security incident? Meet Incident Response
Our Incident Response team is available 24/7 to identify and resolve any cyber incident.
What is Emotet malware? And what does it do?
Emotet is so-called “polymorphic malware” – which constantly adapts itself to avoid detection. The malware is often used by cybercriminals as a springboard to gain access to corporate environments. Once inside, attackers often look for ways to gain further access to the network.
Read the full article: What is Emotet malware? and what does it do?
When am I dealing with a reportable incident data breach?
At the moment that unauthorized persons (can) access personal data, there is a potential data breach. In many cases, organizations are required to report the incident to the Personal Data Authority (AP). The AP was established and designated as the regulator of the General Data Protection Regulation (AVG) and the AVG Implementation Act (UAVG). When a data breach occurs depends on the circumstances. For example, a data breach need not be reported if the risk to rights and freedoms of data subjects is limited. This is in contrast to when an unauthorized person gains access to a customer’s passport or bank account number. After all, in that case, misuse of identity or financial consequences cannot be ruled out. Such incidents must be reported to the AP within 72 hours.
Read more: When am I dealing with a reportable incident/data breach?
Can I always contact NFIR to get help in case of an IT-Security incident?
Yes, we are available 24/7 for SMEs, multinationals, government bodies, educational institutions and non-profit organisations. Within three hours, an incident response (CERT) team is present at every location in the Netherlands (Wadden Islands excluded).
NFIR is an official CERT but what does that actually mean?
CERT stands for Computer Emergency Response Team. The attribute is awarded by Carnagie Mellon University to companies and teams involved in digital security incidents. In the Netherlands, there are a number of official CERTs of large organisations involved in combating cyber incidents, such as the NCSC, the IBD, the Ministry of Defence, telecom organisations and banks.
Incident Response Plan
Know what to expect in the case of a IT security incident. Read more about the Incident Response plan.