Cyber incidents increased dramatically during the COVID-19 pandemic. Criminals took advantage of companies (and individuals) when their systems and processes were at their weakest -- stretched by remote working and other non-traditional work arrangements. Unfortunately, this trend has not slowed down and may even be increasing.
As a business owner, knowing how to respond to a cyber incident in a quick and comprehensive way could:
- Protect your ability to provide what you do for your customers
- Help update and improve your security (from incident learnings)
- Minimize the impact of the incident, both in the short and long-term
- Protect your business reputation and your market position
4 steps to follow in your incident response
When responding to a cyber incident and recovering to a position where your business is secure and serving customers, cyber professionals and organizations, such as Canadian Centre for Cyber Security, recommend a 4-step approach:
- Prepare
- Observe
- Resolve
- Understand
Step 1 – Prepare
Planning and preparing for what might happen to your business is essential to help minimize the chance of an incident as much as is possible and minimize the potential impact of an incident, should it occur.
Buy-in at the senior level of your business is key and making cyber security an agenda item in both team and management meetings is a good starting point.
Understanding what the critical information is, where it's stored, and what systems, software, processes your business uses, and how these are accessed is also key to understanding what may need to be done at this stage.
Key data backups done at least daily are essential, and if possible, duplicate back-ups should be done with at least one copy being stored off-site. "Mirroring" of data between two locations would see two live copies of data at all times.
Employee training should be a high priority, with employees trained to be aware of both what cybercrimes are, and what they can look like.
As part of the preparation process, you should discuss with your business partners, suppliers, and key customers what actions would need to be taken in the event of a cyber incident. Having a dedicated contact in each area would speed up any actions that need to be taken. Details of any person or company your business would need assistance from during a cyber incident, should also be put into an incident plan.
The incident plan for your business should be regularly checked for accuracy, tested to ensure it works, and updated where necessary.
Step 2 - Observe
The second step is to monitor your business networks, systems, and connected devices to identify what has happened or is happening. There are some signs that systems may have been infiltrated, such as:
● Computers running slow
● Redirected internet searches
● Unauthorized payments
● Documents becoming locked
● Ransom being demanded
These occurrences should be examined, and a decision made regarding whether the incident response plan should be activated.
The nature of your business will determine the frequency and intensity of monitoring. This can range from 24/7 monitoring to something performed in a more ad hoc manner.
Step 3 – Resolve
Resolution of the cyber incident can vary depending on the event, however getting your business operating again can include steps like replacing affected hardware and software, putting in place new security and mitigation measures and restoring company data from back-ups.
Part of reviewing security is to ensure all updates and patches are done, and passwords are changed.
Step 4 - Understand
After the incident, reviewing what happened, what was affected, what was lost, effect on customers, and any other key information, is very important to the ongoing protection of your business.
Your business can learn from the activity taken as part of the response process, such as what went well and what needs to be improved.
There are likely to be learnings from a prevention point of view also, and employee training could be one. It may be that a phishing exercise, or an awareness session should take place.
Physical and electronic security will need to be reviewed, which could result in upgrades required to prevent a repeat incident, such as access controls, or removing access to USB ports.
Updating of the incident plan in event of any learnings will help to ensure that following any changes you are still concentrating on the correct issues.
Report what happened
It is essential that your business reports cyber incidents quickly to local police and the Canadian Anti-Fraud Centre (CAFC). Your business may also be required to report the incident to the Office of the Privacy Commissioner of Canada (OPC).
Promptly reporting incidents helps other organizations to prepare and gives police information with which they can attempt to apprehend the criminals. Local police are positioned to investigate incidents and the CAFC supports law enforcement by sharing information collected through the reports.
Response time is critical
Time is of the essence when your business responds to a cyber attack. Contacting and getting help from security professionals as early as possible is critical, with the first 72-hours on an incident being key.
If you have cyber insurance, such as Aviva Cyber Insurance for Business, informing your insurer and as soon as possible will allow them to aid in your response. If your insurance coverage includes the services of an incident response partner like Cyberscout, they should also be contacted immediately.