The prevalence of security incidents and hacking continues to increase, as financially-motivated attackers continue to target businesses with everything from social engineering attacks to data harvesting. Small-to-Medium-sized Businesses (SMBs) remain easy targets due to the ease with which adversaries can launch attacks. These organizations are fighting an uphill battle when trying to protect themselves, as they often have a limited IT budget and limited information security expertise available to them. But most businesses probably aren’t dealing with Advanced Persistent Threats (APTs) when it comes to security incidents, and some simple preparation steps can help reduce the likelihood of a breach and decrease the impact to your business if it does happen. We’ve put together an introductory incident response checklist that can help a lot of SMBs prepare to handle security incidents more effectively.
Incident Response Checklist – Preparation
- Do you have an Information Security Policy? It may sound like a waste of time, but putting together a baseline security policy that covers how you handle security for your day-to-day operations, what security controls you have in place, and what your organization’s security expectations for employees are can help to reduce the likelihood of an event in the first place. Showing a commitment to security and thinking through security enough to create a meaningful policy to support it is usually a good first step. There are a ton of great policy resources online or we can help you craft a custom policy for your organization.
- Does your Information Security Policy contain an Incident Response Plan? Whether it’s a separate document or part of your overall policy, a specific plan for how you intend to handle potential security incidents can help you avoid critical response mistakes and high-stress periods of time when something occurs. I know, I know, more policy writing. But it really does make a difference if you think through what you are going to do to help minimize impact and ensure business continuity following an incident. Not only is this a practical idea, but it is required by almost every compliance standard out there.
- Are organizational responsibilities clearly defined in the Incident Response Plan? There’s nothing worse than finger-pointing and mass confusion when a security incident occurs. If your employees don’t clearly know and understand who is doing what during an incident, things are more likely to be missed, the response process can be significantly slowed, and stress during the response can be increased. All of these things can lead to a worse response which can, in turn, increase the impact of a security incident and cost the business more money.
- Are communication channels clearly defined in the Incident Response Plan? Similarly to responsibilities, laying out exactly who needs to know what, when certain parties need to know, and what contact information should be used to inform those parties is vital. This can increase the efficiency of the response process and avoid sensitive information being disclosed to unnecessary parties (which could unintentionally damage reputation or increase cost of the response efforts). Ultimately, you need to exactly who needs to know about a security incident to officially declare it one, and then each channel of communication that needs to happen after that.
- Which vendor or third-party are you going to bring in for the response? Don’t wait until something actually occurs to have a preferred vendor engaged that you want to use for your incident response process. Scoping, contract signing, and scheduling are generally time consuming processes that can delay response time and result in critical evidence being destroyed. Vet your vendors and have contracts in place ahead of time where it makes sense. Things like Incident Response Retainers can also help streamline scheduling and ultimately improve response time. While we do everything we can to help customers quickly that need Incident Response services, it can be hard for organizations to push contracts through their internal processes quickly and depending on the time of year, resource allocation to actually perform the work can be hard.
- Have you tested your Incident Response Plan recently? IR plans should be tested, evaluated, and updated at least semi-annually, even if it’s just via a table-top exercise. These events can help make sure your plan doesn’t get stale and that everyone involved in the response process is aware and comfortable with their role when the time comes. Like anything in life, practice makes perfect. And if your employees understand their duties during a security incident, the overall response can be improved.
These are just a few things to get you started. There’s a lot more to consider here when it comes to adequately preparing for a security incident. Unfortunately, they continue to increase in prevalence and where small businesses are concerned, the impact and long-lasting effects following a security incident can often be overwhelming. To avoid these scenarios and ensure you don’t need to close your doors for an extended period of time, take some time to plan accordingly. If you feel like you already have all the things on this introductory incident response checklist in place, feel free to tweet us @TriaxiomSec or contact us here to talk through some additional considerations and planning steps you can take.