How to Prevent, Detect, and Respond to Cybersecurity Incidents

September 28, 2020

When the first skyscrapers were built, they had between 10 and 20 floors. Today, skyscrapers have over 100 floors and are thousands of feet tall. Though many engineering and technological advances have contributed to this progress, modern reinforced concrete frameworks are most critical to the strength and stability of these superstructures, fortifying them against strong winds and earthquakes.

Similarly, the information technology systems and networks that support our society's infrastructure require solid frameworks to ensure their security and stability. This infrastructure, from government services to utilities to privately held companies, relies increasingly on such systems and networks. If not secured, these systems could be targeted by hackers and suffer devastating consequences.

To secure and protect your assets, electronic or otherwise, you must address three general areas of cybersecurity: prevention, detection and response. Yet, in spite of the fact that data breaches are an increasing threat to the viability of businesses, most do not have a cybersecurity plan in place and are not prepared to handle the costs and consequences associated with a data breach. 

Prevention of Cybersecurity Incidents
  • The goal of cybersecurity is to prevent an incident or a breach. Prevention is the most cost-effective tactic and warrants a detailed plan of action.
  • Establish and understand the budget you’ll need to maintain a cybersecurity program. In most cases, you can implement successful security measures without breaking the bank if you’re effective in communicating your goals within your organization.
  • Build a culture of cybersecurity awareness at your organization. Employees should not only follow best practices but understand specific cyber risks within the network. This should include established policies and procedures, as well as trainings.
  • Assess your current risks or have a third party do so. Apply what you learn from this assessment to prioritize tasks and secure your systems, networks and applications strategically.

Why perform a cybersecurity risk assessment?
The key to prevention is understanding your risks and matching the appropriate prevention tactics to each. Otherwise, you won’t know what you’re protecting and why, and your strategy may not meet the need. You must:

  • Define the type of information you have.
  • Assess how information moves through your organization.
  • Learn why that information would be valuable to a hacker.

The results of this assessment will be different for each organization, as will the solutions. 

An assessment is particularly important if there are defined requirements or regulations for the information you’re protecting. If you don’t have the right safeguards in place, you could face higher fines and penalties in the event of a breach.

Detection of Cybersecurity Incidents
Preventing all attempted security breaches is impossible. To defend against future attacks, you must implement a strategy to monitor your network and detect those attempts as early as possible. Most incidents begin with events that appear on system and network logs. If you can identify events from technical sources and reports that pose threats to your security and operations, you can then determine what, if anything, needs to be done to prevent a full security breach.

Monitoring and assessing the network, logs and reports should be a regular and ongoing task. And you must implement a technical strategy for detection that includes everyone in your organization. Establish regular training for cybersecurity awareness, deploy malicious code detection to your entire network, harden your network environment against vulnerabilities, and use firewalls to block unauthorized activity on your network.

Here's what you should be looking for when it comes to cybersecurity risk.

Response to Cybersecurity Incidents
Developing an incident response plan can be compared to running a strategy game. You want to position the right people in the right places for the best outcomes should an issue arise. Such planning is not just for expansive and complex companies. Cyber incidents happen to companies of all sizes and incident response is relevant to every business. The same technology that continues to revolutionize industries can easily cripple any organization. In fact, there’s a chance your company has had a data breach within the last year. 

To navigate an incident safely and successfully, you must establish an incident response plan for key personnel to follow in the event of a breach or attack. For this plan, you should:

  • Define what qualifies as an “incident.” This will be different for every company.
  • Establish clear policies for cybersecurity and incident response.
  • Determine key personnel to be alerted when an incident is identified, your incident response team.
  • Log and monitor everything for reference if an incident occurs.
  • Create protocols for reporting, notifying and communicating incidents within your organization and with any other relevant parties.
  • Have a forensics element. The inclusion of this element in handling incidents will ensure you’ve documented a defensible process to defend your actions for legal obligations as well as keeping your business operating securely.

What are the key roles on an incident response team?
Each person on your incident response team will have a role to play in keeping everything organized and under control during a data breach. In terms of strategy, each member should have a specific responsibility in getting the company through the response. There are four primary roles to assign, though larger incidents could require more complex combinations of skills. These individuals make up the backbone for any incident response plan:

The Veterans: When it comes to incident response, IT professionals are the champions of their company’s security. When an end-user finds a potential cybersecurity threat, the IT professional confirms the threat based on the incident response plan. They then work to mitigate the incident. They must also practice restraint, as mishandling information during an incident could leave the company responsible and liable for spoliation of data.

The Investigators: After several cybersecurity incidents, you’ll want assistance from a third-party forensic team, who can provide extensive expertise, tools and resources you may not have available within your company. You may also need a third-party forensic team to conduct an impartial review or report for insurance reasons.

The Internal Lead: It is important to have a person in charge of controlling the dissemination of information throughout the company. This role is typically filled by either the Chief Security Officer or head of Public Relations. They will maintain and report information and results to the company as needed. Other team members will defer to the internal lead for guidance and authority. Ideally, this person should have some technological experience or insight into the company’s technical makeup. And they should rank high enough to deter suspicion over delegating orders or taking possession of devices. However, keep in mind that an effective security defense requires a solution operating 24/7. According to an analysis conducted by Arctic Wolf, 35% of cyber threats appear after typical office hours. 

The Legal Representative: The company attorney or legal representative will manage public and private perception of the company and ensure that there are no legal repercussions when the incident is resolved. They organize a plan based on the information to best help the company and they give insight into legal nuances of incident response, such as when to reveal your cards and when to call an investigation to a close. This role is especially critical if your company is dealing with protected information beholden to regulatory bodies.

As you can see, each member of the team has a specific and vital responsibility. Going through any incident without a complete team could end up costing more money and bringing confusion and unnecessary stress to an already precarious security situation.

The NIST Framework for Improving Critical Infrastructure Cybersecurity
In February of 2018, the National Institute of Standards and Technology (NIST) released their Framework for Improving Critical Infrastructure Cybersecurity. The Framework Core provides a process-oriented set of functions for managing cybersecurity risks. An organization that adopts the NIST framework is provided standards and expectations that can be performed concurrently or continuously to promote a culture of cybersecurity within the organization. These Framework Core Functions are:
  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
  • Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
  • Many organizations, including federal, state and local governments, as well as publicly and privately held companies, have adopted this framework and started their systematic approach to managing cybersecurity risks. The goal is to implement a set of guidelines that ensures the breadth of cybersecurity risks have been addressed. A framework provides an organization with strength and agility to sustain the inevitable [cyber winds and earthquakes]. Like the frameworks that support skyscrapers, adoption of a cybersecurity framework is critical to the success of any organization.


Potential Consequences of Being Unprepared
Investigation Expenses and Litigation
Every business maintains proprietary data in the form of customer lists, trade secrets and Personally Identifiable Information, or “PII,” which is protected by law. In the event of a data breach, you’ll have to factor in the initial expense incurred by investigating the breach, as well as costs associated with potential litigation. If you understand your cyber risk ahead of time, however, you can be prepared to make efficient and effective decisions should malicious activity occur. 

While it’s important to keep up with new regulations around handling personal and confidential information, the regulations aren’t designed to protect your business and operations. Ultimately, it’s an organization-wide issue and the responsibility falls to owners, executives and board members. By taking a holistic approach to cybersecurity management, you can reduce weakness in your cybersecurity defenses. 

Here are a few tips for developing a defensible process:

  • Use a third party for incident response capability assessments, as well as regulatory compliance.
  • Use internal IT staff for business continuity and recovery during an incident.
  • Use a third party to manage the incident response and conduct the investigation. It is important that this third party is trained and qualified in forensic investigation to handle incident response in a way to prepare for any potential future litigation that may surface.
  • Ensure you are regularly conducting response activities on events that are a potential threat to your organization. Do not wait to declare something an incident based on compliance standards alone.

Infrastructure Vulnerability and Chaos
Beyond data security, a breach at your company could have disastrous consequences if hackers got a hold of key operations – especially physical infrastructure operations. In March of 2016, a group of foreign nationals were charged with hacking attacks on a dam in Westchester County, N.Y. They were able to perpetrate the attacks by installing malware on computers around the world and then using those tools remotely to launch cyber assaults. They never took control of the dam or caused disruptions. They instead examined its operating system to determine its defenses against cyberattacks. A follow-up investigation determined that, in theory, the hackers could have caused flooding and created chaos by hacking into the dam’s control system.

Industry-Specific Consequences
Though many cybersecurity risks are common among industries, certain sectors will face varying consequences due to the nature of their data and/or condition of their systems. For instance:

Higher Education: There are strict regulations for handling and protecting personal information retained through the financial aid system. The responsibility falls to several parties, including institutions and third-party services. Compliance is audited and, if a risk is identified, consequences range from disabled access to information systems to fines and other actions deemed appropriate by the Department of Education.

Automotive Sales: Auto dealerships collect a significant amount of consumer information and are prime targets for hackers. Common cyber incidents for this industry include breaching Wi-Fi networks, phishing scams, fraud and installing malware via email. One of the biggest consequences of such activity is reputation damage. Nearly 84% of consumers would not buy another car from a dealership that had a security breach.

Manufacturing: A recent study found that nearly 40 percent of manufacturers don’t have a cybersecurity plan, and it’s also true that many manufacturers operate using outdated technology. These conditions increase their vulnerability to cyberattacks. Plus, manufacturing is an industry that has to protect a special type of data: intellectual property. Trade secrets and build lists set companies apart and drive brands and could be stolen or held for ransom.

The Importance of Implementing a Cybersecurity Plan
Cyber threats and cyberattacks have increased dramatically over the past decade. These attacks have exposed sensitive personal and business information, disrupted the critical operations of organizations and imposed high costs on the economy and businesses. It is imperative you stay informed about the continuously changing forms of cyber threats and develop appropriate, cost-effective controls to safeguard your business from data breaches.

Expand Full Article

Best Practices in Cybersecurity

Discover the five stages of cybersecurity and how to create a culture of security in your organization.
Download the e-Book