Incident Response is not just for Hurricanes…
By Jeff Baker, NB Business Solutions
For Houstonians and others along the Gulf Coast, the months between June and November can be tense as the threat of hurricanes is constantly monitored. For IT professionals in particular, the weeks leading up to June often bring with it questions about their company’s disaster recovery and / or incident response plan(s) should a significant storm be headed their way. Such questions could include:
- What measures have we taken to ensure our data is protected?
- What is the plan to bring our systems back online in the event of a failure?
- What do we do if we lose an entire office / data center?
- How will our end users work remotely and have access to the systems and data they need?
- What are the timelines for our business to be back ‘online’?
Often, however, the months pass, no real threat forms in the Gulf, and business continues as usual without any real progress on these questions…until the following summer when the exercise tends to be repeated.
In January 2020, several organizations in the Houston area announced layoffs. The news of these events triggered similar thoughts to those in the weeks leading up to hurricane season. Although the questions are slightly different, the mindset around incident response and the need for a plan are very much in line:
- How do we ensure our data is protected?
- What measures have we taken to disable end user accounts?
- What is our plan if we incur a breach?
- How long will it take to bring our systems back online? Restore our systems and data?
- How do we protect our offices and the people inside? For how long?
In these times, both cyber and physical attacks may occur at any time, but there seems to be more of a heightened awareness or thought process around these potential threats as layoffs or other significant organizational changes occur. Many organizations will have a plan to reclaim assets, change or disable user accounts, and disable building access, but is this enough? Where should an organization focus its efforts and build a plan / process? Where do you start?
Incident Response from a Cybersecurity Perspective
IT leaders should be thinking through scenarios, planning for how to manage data and systems during each scenario, and setting in motion how to communicate with other members of the IT team about executing the plan.
These processes should be clearly outlined so that when a situation arises such as layoffs or an office closing, the plan can quickly unfold to secure data and systems before there is an opportunity for information to be compromised.
Consider these key actions that technology professionals can take to protect company data prior to any organizational event such as layoffs or closures:
- Protect the points of data ingress and egress, which could include tools such as email/O365, Dropbox, Box, VPN access, etc
- Identify which groups or departments have sensitive data, understand where that data is stored, and ensure access is restricted, controlled, and periodically audited. This should include engaging with the executive team to identify the highest priority data to secure.
- Create back-ups on external drives or off-site hosted environments so that you can quickly restore data in the event of data being wiped, compromised, or stolen.
- It is imperative to understand RTO (Recovery Time Objective) & RPO (Recovery Point Objective) SLAs and costs of data restoration to properly set expectations with your business.
- Perhaps even more important is the continual testing and validation of the restore processes
- Use technology to scan incoming and outgoing company emails for red flags such as large files being emailed, or certain keywords or phrases used.
Incident Response from a Physical Security Perspective
Protecting the integrity of data and systems does not stop with monitoring emails or implementing a data backup plan. Physical security is equally important to reduce risks associated with layoffs or closures.
Your IT team should work with company security, HR, Legal, and other relevant departments to protect both its employees and the integrity of company data.
Again, companies should take a proactive approach to outline a plan for physical security and communicate the steps within the plan. This way, other team members know exactly what their role is in physically protecting data and other assets.
Keep in mind that physical security is not limited to collecting computers, deactivating electronic badges, or turning off keyed access to certain areas of the building. There is also the risk of data being handed off physically that needs to be monitored through advanced techniques, such as data encryption, hardening of the operating system, leveraging the usage of Multi-Factor Authentication (MFA), and even Public Key Infrastructure (PKI).
Build a Comprehensive Plan for Cybersecurity and Physical Security
The implications of not thinking proactively and entering scramble mode during an event could be costly for your company. According to IBM’s 2019 study, the average total cost of a data breach is just under $4 million (https://www.ibm.com/security/data-breach).
The common practice for both cybersecurity and physical security is to proactively build a plan that identifies each key step, action, and person involved.
IT professionals should also perform annual vulnerability reviews to identify both cybersecurity and physical security threats that could arise in the event of a major workforce change.
While it’s unfortunate to have to plan for both external and internal threats, the stress and shock of a layoff can cause people to take actions they otherwise would never consider. This is why it’s important to have plans and mechanisms to reduce the risk of loss for your company.
Be proactive, build plans, run through scenarios, communicate roles to key departments, protect systems and data, and use the latest technology to identify the highest threats. This will help your company advance past whatever storm enters your path in 2020 and beyond.