No one wants to think that their business will be the target of a ransomware attack or cybersecurity breach. But, with more than 4,000 ransomware attacks reported daily since the start of 2016 the odds are not in your small-to-medium-sized business’ (SMB) favor. The question isn’t if, but when.
However, while it may be impossible to fully prevent a network attack, you can be prepared. Creating an incident response plan and then practicing it before anything ever goes wrong ensures that your SMB knows what to do if you become a victim.
“You don’t want to wait until you are in the middle of an incident, running in emergency mode, to figure out how to react,” says Jay Patel, supervisory special agent with the Federal Bureau of Investigation’s Cyber Division. By having a security plan ready, your SMB can act quickly to remedy the situation—and hopefully, reduce the damage.
As soon as you have more than a couple of employees, and more than one software system, you should probably create an incident response plan. That’s because, from ransomware threats to business email compromise scams, cyberattacks aren’t just inconvenient—they can put your entire business at risk.
“If you think it’s important enough to have a business, you should also think it’s important enough to protect it,” Patel says. Creating an incident response plan gives you the chance to think through and address multiple important issues.
Not all businesses and data are equal. As the value and pace of data creation accelerates, the layers of complexity have grown exponentially. One of the biggest challenges is determining the amount of resources to allocate to a cybersecurity plan, through quantifying the costs associated with the risks to the business.
“These are hard, but important, discussions,” Patel says. “You definitely want to have them before an event takes place.”
As part of the process, your SMB leadership team must identify its sensitive information as well as the networks and files critical to the business function; they will need to discuss the hard costs, the potential impact on the brand, and disruption to the business.
Cybersecurity spending is on the rise, “89 percent surveyed expect their organization to increase cybersecurity investments in the next fiscal year,” according to a recent Oracle and KPMG Cloud report.
Every SMB’s cyber incident response plan is unique. However, most plans include some common security components. These include:
Business critical information
As noted previously, your plan will outline the operating systems and information that the business needs to function. This can include customer information, intellectual property, employee information, etc. In addition, understanding the value of the data shouldn’t be limited to one person. If they depart the business, it’s immediately at risk.
Detection and containment methods
Unfortunately, planning to 100% prevent a cyber attack isn’t really possible. Instead, an incident response plan will determine whether your SMB will detect an access breach or attack, and then how it will contain the security threat.
Internal and external stakeholders
Response plans also map out who may be affected by an attack, both within and also outside the organization and network. The security plan then denotes how you should notify these stakeholders. Outside vendors should be a part of a successful security plan. Often smaller companies will use Security-as-a-Service system.
Circle of trust
Ensure your vendors are trusted technology partners. The USA is a trust-based country, where companies and citizens take for granted that businesses are held to national security standards. But, the internet easily crosses borders, so it’s important to know where the vendor protecting your data is based. SMBs should be wary accepting cybersecurity services from foreign or lesser-known companies, especially for penetration testing
Fight bad tech with good tech
The bad guys only need to get it right once, the good guys have to get it right all of the time. Each team member needs to be an amplifier of response, which can only be done by leveraging technology and . Invest in advanced technology that automates event analysis and response, freeing up the human capital to focus on more complex issues. Cybersecurity is a growing area where technology and people can complement each other. Also, . Cyberthreats are continuously evolving and your systems need to as well.
Recovery and mitigation strategies
A comprehensive incident response plan will prepare your SMB to recover lost files and information from the network, and lay out a plan for how to resume business after a cybercrime. Patel notes that plans should also address how to preserve evidence along the way, so that law enforcement can investigate what happened and who was behind the security attack.
Fortunately, you don’t need to create a cybersecurity plan from scratch. Both the National Institutes of Standards and Technology and the ISO 270001 provide frameworks that organizations can use to prepare an access incident response plan for computer systems. “Even a small business with five employees can utilize these guidelines,” Patel says.
Incident response plans can’t be relegated just to your SMB’s information systems or one IT employee. For your plan to be effective, Patel notes that the organization’s senior leadership need to not only support the plan but also participate in its creation. “This is a business issue, and the business needs to be involved,” he says.
In fact, Patel recommends that IT meet with their senior leadership regularly to discuss critical technology issues, network security, and educate the business side about what IT does and its resources. That way, when it comes time to create or update your incident response plan, non-technical leaders aren’t overwhelmed by the information.
Once you’ve created your plan, the FBI suggests that SMBs practice it at least once a year as a general protocol. You may take your team offsite or find ways to make it fun. But ultimately, you want to run through the document to see what the response looks like in real life. Experiment with role-playing. That way you can identify holes in the security plan and discover what works and what doesn’t. Get in touch with your local FBI office to participate in local security events or host an information security day. The FBI has a number of resources to support SMB's. Build a relationship with them as part of your education and emergency plan, so you know who to go to in case of an emergency.
“Most organizations that practice a plan realize that many of their components fail,” Patel says. As part of your drill, your SMB should also preemptively reach out to your local FBI division to introduce your business and make sure you know whom to contact if something goes awry or a data breach arises.
A cybersecurity incident response plan is a living file—one that requires at least annual review and updating. Take the time to make one, practice your emergency security plan and keep it current. If you do this, your SMB will be prepared for a cyberattack that hopefully never happens.