This article presents five lessons learned from numerous cybersecurity incident management interventions. These are some findings from these activities that may help you better prepare for such an eventuality.
Not paying attention to the symptoms
Not paying attention to the symptoms of an attack could cost you dearly. Vigilance is probably the best weapon you have to deal with a cybersecurity incident. In other words, you need to be able to properly detect the warning signs of a situation that can escalate quickly. Someone is receiving suspicious emails? Users are complaining about strange behavior on their devices? A new administrator account has just been created? These could be signals that something is wrong. When in doubt, don’t hesitate to contact specialists who can help you; caution is the best policy!
Waiting before taking action
In the event of an incident, speed of response is key. Not only can it literally save your organization, but overall, it can greatly reduce the costs associated with the incident management activity. In other words, it’s better to call in the specialists sooner rather than later.
A water damage analogy can be used to explain this type of situation. If water was leaking from your ceiling, would you wait to call a specialist? Probably not. That could lead to serious problems with the leak. Now, this is somewhat the same when discussing the issue of cyber security incidents. Acting quickly can save you from serious problems down the road.
We regularly see teams try to leave this situation alone for 24-48 with incidents before calling for help.
Trying to fix it yourself, or going to the wrong place for expertise
Companies will often have the reflex of trying to figure things out on their own. While this may seem like a good idea on the surface, it usually leads to bigger problems to deal with later; malware gets further into systems, so it requires more effort before to be removed.
Again, the incident response specialist role is a specialized one. True incident handlers have undergone specialized training in the field and usually have the certifications that prove their skills.
The business of incident response requires strategy, methodology, tools, and approaches that fall under a particular specialization. These elements are not usually part of IT teams whose mandate is to maintain an infrastructure to meet day-to-day challenges. It is a specialty that requires specific expertise, so it is important to validate your IT team can really be able to support the management of a cybersecrurity incident.
Attempt to negotiate on your own
If your organization is ever caught in a ransomware situation, never contact the bad guys. This has very important implications for your organization’s reputation, technical aspects and legal liabilities. It is better to wait for incident management specialists and breach coaches before making any intervention. This will prevent you from plunging your organization into a potentially irreversible situation.
Finding a culprit
The question managers might ask themselves when an IT incident occurs is: “Who is responsible for the situation? This reflex could prove disastrous for the future. Indeed, looking for a culprit could disengage the talent in your organization, which would make the situation worse in the midst of a talent shortage.
The role of leadership should be to motivate and mobilize the troops to deal with the current situation. When things are more stable, that’s when you can start to think about “what really happened” and find solutions to reduce the risk of a similar situation happening in the future.