What do Maersk Shipping, TNT, Reckitt Benckiser and Merck all have in common?
They all recently announced they had incurred significant costs as a result of being impacted by the Wannacry and NotPetya ransomware outbreaks during the last 6 months.
The figures are quite staggering – The CEO of Maersk suggested they were taking a US$200-300m hit, TNT a division of FedEx stated a similar figure, Reckitt Benckiser reported they would lose GBP100m in sales and Merck bosses said the issue had set their pharma business back at least US$310m of which $135m would be for lost sales and $175m in costs.
The scale of the reported losses associated with these ransomware outbreaks would have seen these four organisations undoubtedly move quickly to assess their security posture and review their incident response planning and execution.
On a more local level businesses in Australia and New Zealand should be looking at these examples and asking the question – What is our documented incident response plan to defend against these types of online threats?
What is Incident Response Planning?
Before we look at what makes for a robust Incident Response Plan, let’s take a moment to understand what this plan actually is.
Your incident response plan is designed to test the ability of your organisation to promptly respond to a security incident such as a malware or ransomware outbreak, a data breach, targeted attacks such as whaling or a Distributed Denial of Service (DDoS) attack. However, too many businesses have inadequate response plans in place that remain untested, or worse, no plan at all. This failure to prepare is why so many businesses were caught out during the recent WannaCry outbreak and are currently suffering in the wake of NotPetya.
Here’s what your incident planning should cover in the instance of a ransomware outbreak-
6 Stages of Incident Response Planning
An organisation's incident response plan should be prepared by a carefully selected group of staff members that, in addition to working in IT also understand security issues. This team should not be limited to IT staff however, and may also include representatives from your legal team, HR, and even your public relations or marketing department.
This is arguably the key step as it is where you will completely develop your Incident Response Plan. Your organisation may also schedule security awareness training for your staff and assign the roles staff will take if an incident does in fact occur.
During this period you may also develop and conduct drills to measure the effectiveness of your plan and make adjustments based on any areas that could be improved.
Educating of users and IT staff about the importance of updated security measures and training them to respond quickly and correctly is highly recommended.
The remaining steps will be implemented in the case of an incident starting with:
It is at this stage that your Incident Response Team will be activated, but before any measurable action can occur, you response team will need to determine if in fact any incident has occurred.
If a security incident is confirmed, you will need to:
- Investigate how the incident occurred
- Figure out when it is likely to have happened and
- Record who discovered it first
- Establish if any other areas have been impacted
- Map how far the infection (if any) has spread
- Establish what kind of ransomware variant is involved
Only once your team has uncovered the complete scope of the incident can any actions be taken.
It is at this stage that your team will contain the problem by isolating or sandboxing the affected segment of the network to prevent further damage.
Once your team has established the root cause of the problem and all traces of malicious code are removed, your systems will need to be patched and any necessary security updates installed.
It is now time to restore and recover your systems and return to business as usual. By now your team has made sure any sandboxed or isolated network segments can be reintegrated safely to the corporate network. Additionally any data and software should be restored from clean backup files.
When your organisation has recovered from the incident, be sure to schedule a meeting involving all incident response staff members. Analyse both the incident and the response, record what the effective solution was, and what can be improved to prevent any recurrences.
Who Facilitates Incident Response Planning?
Like any business investment, designing a robust plan will take time. Finding the necessary skills and expertise within your organisation is generally one of the most difficult tasks of any security planning. This is where an external IT security consultancy comes in.
What should you be looking for in an IT security consultancy and incident response planner?
They should be qualified and trained to assist with the following:
- Customise the planning template based on what your business offers and the types of vulnerabilities you are likely to be vulnerable to.
- Recommend and assign incident response roles.
- Train staff in the requirements of their roles and outline all actions that need to be taken in the event of an incident.
- Provide a full report on current security threats so that training opportunities can be maximised.
- Ensure your employees are aware who to report any breaches to.
- Continue evolving incident plans and regularly test employees on weak areas to ensure they understand how breaches occur before they are ever faced with one.
Ultimately, the best incident response lies in quality planning and training to recover quickly from an attack and prevent any recurrences.
For a confidential discussion on how we can assist your organisation build an effective Incident Response Plan contact Mike Conboy
Click Here to learn more about our incident response services.