Cyber-security - how robust is yours?

Cyber-security threats and the risk of attack are an omnipresent challenge, and barely a day goes by without a new statistic being released to illustrate this. The story spins out the same way every time – heightened risks, new risks, escalating costs to business and an overall lack of preparation.

• In 2022, 39 per cent of UK business reported identifying a cyber-attack, at an average cost of £4,200 per incident
• And the risk is not set to slow, with Cyber Ventures predicting that risk will grow at a rate of 15 per cent year on year for the next three years
• Yet despite this only 19 per cent of UK businesses have a formalised Cyber-Incident Response Plan in place

With a Cyber Incident Response Plan (CIRP), you can help prevent threats and minimise damage once an attack has occurred, enabling your business to protect revenue, maintain operations and uphold your customer and brand reputation.

What is a CIRP?

A CIRP is a document that clearly outlines to everyone within an organisation detailed instructions on what to do in a cyber-incident.

According to the National Institute of Standards and Technology (NIST), a CIRP covers four main phases:

1. Preparation
2. Detection and analysis
3. Containment, eradication and recovery
4. Post-incident activity

Preparation is everything!

Phase 1: preparation

The initial phase of a CIRP should detail everything that needs to be in place to ensure your business is prepared in an incident. From determining who internally will be on your cyber-incident response committee to how an incident is fully tracked, this stage focuses on gathering critical information which the business needs to consider.

Your CIRP strategy will also ensure the wider business is fully briefed on how to respond to an incident and at what point internal and external communications are necessary.

It’s prudent to remember that throughout every step of the process, evidence gathering is key, as this will continue to inform your plan and how the business will respond to an ever-changing environment.

Accurate detection and analysis processes can save time and money

Phase 2: detection and analysis

This phase determines the methods which will be used to help identify when an attack is underway, such as anti-virus alerts.

Timing is critical at this stage, as the sooner processes identify something is wrong the faster your business response times in getting the incident under control and reducing the impact on resource, reputation and revenue.

Within this phase it’s important to set out your business prioritisation plan, so that in the event of multiple systems/operations being affected there is a clear plan as to what is restored and brought back online first.

This phase should also include your communication strategy – who to notify and when (internally and externally). Ensure you document all compliance and regulatory requirements so the business avoids further penalties or fines.

Stop the spread and reassert control

Phase 3: containment, eradication and recovery

This is the critical component of your CIRP, detailing everything that needs to be done to contain the incident, helping you eradicate the threat and get your systems back up and running as quickly as possible.

Consideration should be given as to what point in time you restore a “good/clean” version of your backup files (restore the wrong one and you will be replaying the attack all over again). It’s key to ensure your business implements regular backups of your data and systems to help prevent against loss in the event of an attack.

Within the containment phase, your focus is on damage limitation – quickly and correctly identifying the assets and devices affected to contain the attack and prevent further damage. Once contained, you can implement the tools, techniques and procedures necessary to eradicate the risk and shut the incident down.

Once eradicated, your focus should switch to getting business systems back up and running. In most cases it will be prudent to take a phased approach to restoration to ensure each stage is carried out successfully.

Timelines for the above should be clearly communicated business-wide – a complete recovery can take weeks or even months. When selecting the communication channel it’s key to ensure there are viable alternatives you can use to guarantee your message is delivered in the event of your original method being compromised, such as using Teams or WhatsApp as an alternative to email.

Its an ever-evolving cycle – take time to review and revise

Phase 4: post-incident activity

Once the incident is over and systems are fully recovered, it’s important to reflect on the event and undertake a detailed CIRP analysis.

A complete incident debrief will help you refine and revise the response for future incidents – be honest about what has worked well and what could have gone better. This will help you optimise your actions going forwards, prevent similar incidents from occurring again, and strengthen your businesses protection.

It’s also recommended to run simulation exercises from time to time, to try to iron out any potential issues ahead of a real attack.

No business or IT leader welcomes the idea of their systems and operations going down or being attacked. But incidents can and do happen, often without warning. Creating a robust, detailed and watertight CIRP is the best way of ensuring your business is prepared and can help reduce disruption, data loss and reputational damage, meaning business can resume as quickly as possible.

If you are interested in developing a CIRP for your business but are unsure of your current cyber-security position, apply for your free Cyber Security Risk Assessment from M247, worth up to £2,500 in professional service fees.

Our cyber-security experts will work with you to analyse your current setup and processes across 10 areas. You’ll get a score for each area that will highlight any weak spots so they can be strengthened. Start your CIRP planning today:

m247.com/risk-assessment