When it comes to cyberattacks, enterprises have traditionally focused security controls around prevention. Naturally, prevention is the first objective, but in recognition of the fact that 100% prevention is impossible, security controls in the detection and response groups are receiving increasing consideration. Organizations can fail if there are inadequate or no incident response plans in place. The "six P's" mantra clearly applies: proper preparation and planning prevents poor performance.
Plan for the worst-case scenario
The NIST cybersecurity framework categorizes controls in five groupings: identify, prevent, detect, respond, and recover. Respond and recover receive a great deal of attention when high-profile security breaches happen (e.g., the UK government Cabinet Office in December 2019), and an organization's reputation might well dive or thrive based on how well it does this. In recent examples, British Airways arguably did a great job, whereas, perhaps, Equifax did not.
Not every cyberattack will have a financial motive. Some may be focused on organizational disruption, others on distortion of company information, for example. Disruption might even have the ultimate objective of destroying an organization.
The key to a resilient organization is a comprehensive backup and recovery plan and capability. Good governance – indeed, common sense – dictates that an organization should regularly back up its data and systems. This ensures that, if required, essential information and software can be restored as needed and within timescales to meet organizational needs.
At the very least, an organization should have a basic incident response plan. More security-mature enterprises will have built or adopted an incident response framework, in which there are a series of "playbooks" setting out the procedures to respond to and recover from specific types of incident.
The playbooks will assign roles and responsibilities to individuals and teams responding to the incident. Those involved should have access to the products and tools required to enable full investigation and remediation along with the information needed to understand what is happening (or has happened). There will be implications of the incident around the organization and potentially beyond, and the team/playbook must take this into consideration.
It may sound obvious, but it is still worth stating: don't have incident response plans and playbooks available only via online access. If your systems have been taken down, then you won't have the playbooks to hand.
Cybersecurity: Impact and Opportunities, INT003-000336 (March 2019)
"Cyber-readiness demands regular attention," INT003-000196 (July 2018)
"'Dishonorable' data protection practice," INT005-000075 (January 2020)
"The 'always-on' enterprise needs resilience," INT003-000183 (June 2018)
Maxine Holt, Research Director