Why Organizations must have an Incident Response Plan

00:00

but we'll get into module one. Preparing an organization for a cyber incident

00:05

within Module one will start with less than 1.1, which is why organizations must have an incident response plan.

00:12

We'll cover a few things in this lesson. First is why organization should have a written and practice incident response plan and also prepared to answer frequently asked questions by executives during a cyber incident. I mentioned before that I've done a lot of incident response to my career,

00:28

and I have been ableto investigate cases from insider threats to

00:33

nation state sponsored attacks against networks. And I've had a few opportunities to brief these two executives as well. So I walk through some best practices based on research but also my own experience on what executives were looking for and what you should be ready to answer in case of a cyber incident.

00:55

So why do you need to have an incident response plan? While the bottom line is your job may depend on it.

01:00

This is something that

01:03

no one wants to be figuring out

01:06

in the midst of an incident, so you don't want to be building the airplane as it's flying, so in an incident response situation. You want to have a plan now?

01:15

Not all strategies. You're going to work. Not all plans were going to cover every single potential activity or incident that can occur to an organization. But you need to have something and you need to be able to start somewhere. And you don't want to have your very first conversation between cybersecurity and executives

01:34

in the midst of a breach or some major incident.

01:37

So as ah, certain leader or sock manager or whoever is responsible assist. So for incident response activities,

01:46

this may very well be one of the most important things you can do is have incident response plans, figured out, have playbooks, practice them, and I'm gonna walk you through all of this. How do you do playbooks. How do you do tabletop exercises? And what are the things that you should have within your plan?

02:04

So a couple other bullet points here on why organization should have an incident response plan. First, all organizations have some sort of risk relative to information security and data privacy. No matter what you sell or what your organization does. If your nonprofit or a government agency you've got some sort of risk,

02:23

and certainly some organizations are lower than others,

02:27

but you need to be prepared for a breach or some sort of an incident and have a plan for that.

02:34

Plans also need to be tailored to the risk profile and the threats of the organization. A instant response plan for the United States Air Force, for example, is going to look much different than a small business that sells appliances.

02:50

However, both of them need to have a risk assessment. Both of them need to have some sort of a plan on. The plans are going to look completely different, but we'll walk through some of that. Sometimes regulations just require it, so you may be in a highly regulated in industry or a vertical

03:06

like pharmaceuticals, healthcare finance government that just requires you to have an incident response plan.

03:13

But bottom line is, it's just good business. If you care about your business continuity, disaster recovery, the sustainability of your organization, you need to have an incident response plan.

03:24

A few other things to consider is a good incident. Response plan will reduce the impact and costs of security incidents.

03:32

If you have no plan whatsoever and something happens and you have to call in consultants to run the entire thing. From

03:40

what do we do all the way down to re mediation and recovery? That bill is going to be extremely expensive, But if you can at least figure out what you are capable of doing and what you may need other people to dio that can significantly save money.

03:57

We'll also look at what happens if an organization just lacks any type of internal or organic incident response capability, or you just don't have much experience dealing with incidents. A lot of organizations cannot afford to hire

04:11

security folks that have this kind of a background, so they may very well be in this position where you have to have contracts or incident response folks that are ready to respond on retainer. So we'll look at what those situations might look like, and then also having an incident response plan

04:30

just by its nature. And as you're writing, it

04:32

helps to create, enforce a dialogue about staffing and budgets and capabilities, tools and processes. And it's a good way to drive some conversation with decision makers

04:46

I mentioned before I've gotten the chance to brief some executives during incidents, and some of them have been significant and really high level folks that I was talking Teoh. So I want to walk you through what? Normally we see executives carrying about during an incident.

05:03

Now, the reason I have this in this section of the brief is because I want you to keep these questions in the back of your mind.

05:11

As we go through this entire course, I also would recommend you taking a copy of this slide. I'm about to go through and have it ready. Actually, build it into your incident response plan. And what I used to do is I had a slide deck created with all of these questions and I could just plug in the answers as I knew them.

05:30

So I'll walk you through them.

05:32

One question is OK, now what you've told me we have a cybersecurity incident.

05:36

What does that really mean to me? What do I need to be aware of? What are the next steps?

05:43

Another question. What should we disclose and what are we required to disclose? And this is why having these plans ahead of time are so important You already need to know what laws and regulations. Your organization is bound, Teoh. Maybe you're required to report it to the state. Maybe you're required. Reported to stakeholders or to customers.

06:02

You need to know

06:03

one who you need to report to and to also what you have to tell And in what timelines. Sometimes you have 24 hours. Sometimes you have one hour. So make sure you know what those timelines are.

06:17

This is a big one. How much is this going to cost me? And you should have a rough idea. Hopefully, you already know what the retainer looks like if you have one. Or what a contract may look like for incident response, support services. And you can at least give a ballpark figure. But it also may be too early to answer that question.

06:35

What did the Attackers take? This is always something that wanna nose. Okay, They got in. I understand that. But what did they take away? What do we need to be aware of? That they get the corporate secrets? Did they get personally identifiable information or Pii II? What were they after? What did they take out?

06:53

Number five? How did they get in? So this could be a tricky one. You may not know this for a very long time. And again, it's okay to just say we were This is still under investigation. We don't know, but be prepared for these questions.

07:08

Number six, What will it take us to get back to full operations if you are a business, especially e commerce or something that relies on your website or your Internet resource is to be up and running If you have to take things down, that can literally be millions of dollars for every couple of minutes that that site is down

07:28

depending on the organization. So this may be a very relevant question.

07:31

Number seven.

07:32

What else don't we know about? So senior executives are not cybersecurity people. Most of the time, they don't have this kind of a background. They really look to their sis so and to their leadership in the I T. And security organizations to be their trusted advisor. So what is it that we don't know? What should we be asking? What else can you help us out with

07:53

number eight? How could we have prevented this? And how do we make sure this never happens again. It may not be your first conversation, but somebody could throw this out at you, Be prepared for some sort of an answer again. It could be we don't know how they got in in the first place, so I can't really answer that now, But certainly we will be looking at that as we proceed in this investigation.

08:13

Number nine, How could we have been better prepared Now, this could be a good question, actually, to have asked of you and you never want tohave a cybersecurity. Go breach go

08:26

without taking advantage of that. I usually see after an organization suffers a breach is when they get the most money infused in the cybersecurity.

08:35

When you see them, start hiring people. If the organization didn't have a cyst so before you'll probably see a job posting pretty quickly for one. And this can be an opportunity to

08:46

make a request for funding and for a true security organization, if it doesn't occur again, are if it doesn't already exist again, though this is not the conversation gonna have on Day one, but be prepared for it and also be thinking of how you can use this

09:03

to your advantage to make the company or the organization more secure in the future.

09:07

Who were the Attackers and what was their motivation? You may know this. You may not. You may never know this.

09:13

Sometimes you will, though you might be able to say who you were able to identify. Or if there was attribution that could be made. You might be able to understand their motivation based on what was taken. Or maybe they posted things online on Paste Bin or somewhere else. And they just said, What their motivation? Waas Is it activism? Is it a competitors? Er,

09:31

who knows what it is? You may be able to figure it out,

09:35

but you might get asked this question.

09:39

So based on everything we went through on 1.1, a couple of quick questions for you to think through. So when your briefing your senior leadership about a cybersecurity incident,

09:48

you should be prepared to answer which of the following questions a

09:52

What did the Attackers take?

09:54

B. How did the Attackers get in?

09:58

See,

10:00

what could we have done to prevent this or D all of the above?

10:09

But the answer. D you're correct. He should be ready to answer any of those questions at any time through the life cycle of the incident.