Cyber emergency: a 10-point plan for coping

A cyberattack is more likely today than ever before. Studies by IT security services provider Sophos, such as "The State of Ransomware 2021"show that internationally, 37 percent of the companies surveyed are affected by ransomware alone. Although ransomware has probably caused the most devastating damage in recent years, it is by no means the only type of malware that can cause serious problems for companies.

Be prepared for a cyber emergency

Also according to the latest Allianz Risk Barometer cyber risks are currently the greatest concern for companies. Organizations and IT teams are therefore well advised to equip themselves with both effective security and a well thought-out and rehearsed incident response strategy. Such a plan can not only minimize follow-on costs of a cyberattack, but nip many other problems and even business interruptions in the bud. Experts from Sophos Labs have compiled their experience into a 10-point plan for dealing with a cyber emergency.

1. determine all parties involved and affected

It is not just the security team that is responsible and affected by attacks, but many other people in the company. From C-level to departmental management to the legal or HR department, it is important to identify the crucial people and actively involve them in incident planning. At this point, alternative communication options should also be considered, since an IT failure can also affect traditional communication channels.

2. identify critical resources

In order to develop a protection strategy and determine the extent and consequences of an attack in the event of an emergency, the resources that have the highest priority for the company must be identified. Only in this way can the most business-critical systems be restored in a targeted and high-priority manner in the event of an emergency.

3. practicing and acting out emergency scenarios

Exercises ensure that coordinated, rapid and targeted action can be taken in the event of a cyber attack. A plan is particularly good if all those involved know exactly what they have to do immediately at all times, instead of first looking for instructions or even trying to act intuitively. Different attack scenarios should also be defined in the exercises.

4. provide security tools

Preventive measures are a very important part of protection and thus also of the incident response plan. These include suitable security solutions for endpoints, the network, servers and the cloud, as well as for mobile devices and e-mails. Important among the tools are a high degree of automation, for example through the use of AI, as well as a transparent and integrated management and alarm console in order to detect potential attacks at the earliest possible stage and, ideally, to eliminate them automatically.

5. ensure maximum transparency

Without the necessary visibility into everything that happens during an attack, organizations struggle to respond appropriately. IT and security teams should have the tools to determine the extent and consequences of an attack - including identifying attacker entry points and persistence points.

6. implement access control

Attackers exploit weak access controls to subvert defenses and expand their privileges. Effective access controls are therefore essential. These include providing multi-level authentication, limiting administrator privileges to as few accounts as possible. For some companies, it may make sense to create an additional zero-trust concept and implement it with the appropriate solutions and services.

7. use analysis tools

In addition to ensuring the necessary visibility, tools that provide the required context during an investigation are enormously important. These include incident response tools such as EDR (Endpoint Detection and Response) or XDR (Extended Detection and Response), which can search the entire environment for Indicators of Compromise (IOCs) and Indicators of Attack (IOA).

8. define response measures for cyber emergencies

Detecting an attack in good time is good, but only half the battle. Once detected, it is important to contain or eliminate the attack. IT and security teams must be able to initiate a variety of response actions to stop and eliminate attackers - depending on the type of attack and the severity of the potential damage.

9. conduct awareness training

All employees of a company should be aware of the risks they may trigger with their actions. Therefore, training is an important part of an incident response plan or prevention. Attack simulation tools can be used to simulate real phishing attacks on employees without any security risk. Depending on the results, special training courses can help to raise employee awareness.

10. managed security services

Not every company has the resources to implement an incident response plan and, above all, an incident response team with proven experts in-house. Service providers such as managed detection and response (MDR) providers can help. They provide 24/7 threat hunting, analysis and incident response as a managed service. MDR services not only help companies respond to incidents, they also reduce the likelihood of an incident occurring.

Cyber emergency: every second counts

"Every second counts in a cybersecurity incident, and for most companies it's not a question of if they will be affected, but simply when the attack will happen," said Michael Veit, security expert at Sophos. "This knowledge is not new. Companies differ mainly in whether they implement this knowledge with appropriate precautions, or whether they risk putting their existence at risk. It's a bit like buckling up in a car - being unharmed in an accident without a seatbelt is highly unlikely. A well-prepared and thoughtful incident response plan that all affected parties in the organization can implement immediately can significantly mitigate the consequences of a cyberattack."

Source: Sophos