Until It Happens to Your Business
As soon as I start talking about computer security, data breaches, and malware to small business owners, their eyes inevitably glaze over and their facial expression tells me one thing.
I know this is important, but I am too busy dealing with today’s challenges to worry about what MIGHT happen…
Hey, after all, this kind of thing only happens to the big companies, right?
The fact is, businesses large and small, from big retailers to small town chiropractors are being attacked. And it isn’t until your business has ground to a halt that you start to wonder why it happened and what the heck you are going to do minimize the damage.
Just for a moment, ask yourself these questions:
- If you suddenly lost all access to your databases (customer info, transactions, etc.), how would that impact your business?
- How would your customers/clients react to the news that you exposed their sensitive information to an outside source? Oh, and BTW, you had no idea who it was or what they would do with it?
- You no longer controlled your network and all sales functions came to a grinding halt, how many hours/days of that could you sustain before the damage was permanent?
The reality of computer security is that once you are a victim of an attack, the damage is done and there is little you can do to reverse it. Your client?s confidence in you is already shattered, business has been lost, and the costs to repair it are going to be significant.
So, what’s the moral of this story BE PROACTIVE!
Almost all of the threats that are currently out there can be avoided by having sound and consistent I.T. security protocols and procedures in place. Gary Hayslip produced an exceptional article for csoonline.com that outlines the foundations of a sound Incident Management Plan.
The business develops an understanding of its risk and then implements the capabilities to manage it. Core tasks in the Identify function are orientated towards gaining an understanding of the critical systems, assets, data, and capabilities required for business operations.
- Identify and prioritize critical business systems and processes which may be exposed to compromise. Think of the procedures, applications, data, and people required for essential operations needed by the organization to function as a business.
- Develop a Disaster Recovery and Business Continuity Plans (BC/DR) while taking into account some of the following requirements:
- Coordinate how business with work with suppliers and primary customers during a business emergency.
- Plan how the business would conduct manual or alternative business operations if required.
- Plan how the company would do offline financial transactions.
- Develop written procedures for emergency system shutdown and restart.
- Develop and test methods for retrieving and restoring backup data; periodically test backup data to verify its validity.
- Have established agreements and procedures for conducting business operations in an alternate facility/site.
- Educate and train staff on Business Operations Plan, DR/BC Plan.
The business implements a cybersecurity program with appropriate security controls and capabilities. The core tasks in the Protect function are centered on the organization developing the strategic processes to limit and contain the impact of a cybersecurity incident.
- Develop core critical “cyber hygiene” policies including Acceptable Use, Access Control, Change Management, Information Security, Incident Response, Remote Access, BYOD, Email/Communication, and Social Media.
- Implement an enterprise cybersecurity program comprised of these best practices:
- Backup business data (daily incremental/weekly – full).
- Keep all systems updated with anti-virus and anti-malware security software.
- Keep all computer operating systems updated with current operating systems and security patches.
- Secure wireless networks with encryption and vendor recommended security procedures.
- Implement, monitor, and audit system and network logging.
- Implement access control and authentication of critical/sensitive networks and business data.
- Train employees in cybersecurity awareness and proper use of business systems.
The business implements the appropriate security controls and technologies to identify and investigate the occurrence of a cybersecurity event. The core tasks in the Detect function are focused on the timely discovery and investigation of anomalies and abnormal events through continuous monitoring and detection.
- Implement continuous assessment, monitoring and remediation of network and assets deemed critical to the business.
- Develop a training program for security personnel on the use of cyber threat intelligence and management of anomalous events.
- Develop an incident response plan for the organization’s cybersecurity teams to manage during a cyber-event by doing the following:
- Maintain a current inventory of computer assets (hardware, software, and cloud).
- Maintain a list of IT service providers and emergency/law enforcement contact information.
- Create a checklist of specific actions in the event of a cyber incident.
- Define and establish priority notification of employees.
- Define and establish priority notification of customers/clients as deemed necessary and at the appropriate time.
- Define other notifications (e.g., law enforcement).
- Account for Regulatory Compliance (as required).
- Conduct refresher training on incident response emergency procedures (at least annually).
The organization implements the appropriate controls and procedures to take action with regards to a confirmed cybersecurity incident. The core tasks of the Respond function are designed to support the business ability to contain the impact of a cybersecurity incident.
- Identify impacted/compromised systems and assess the damage.
- Implement incident response plan actions (emergency/contingency plans) to minimize the impact on business operations.
- Attempt to preserve evidence of incident while disconnecting/segregating affected identified assets.
- Collect the affected assets system configuration, network, and intrusion detection logs.
- Notify appropriate internal parties, third-party vendors or authorities, and request assistance, if necessary.
- Reduce damage by removing (disconnecting) affected assets.
- Document all steps that were taken during the incident and conduct a “lessons learned” discussion to improve the incident response team?s procedures.
The organization develops and implements procedures to be activated in the event of a cybersecurity incident. The core focus of the Recover function is to keep the company in operation during such an event and assist it in recovery efforts as it returns to normal business operations.
- Restore recovered asset to a periodic “recovery points” if available and use backup data to restore systems to last known “good” status.
- Ensure all backups of critical assets are stored in a physically and environmentally secured location.
- Remember updating recovered systems with current data may require the business to manually input transactions if it was conducted offline due to a cyber event.
- Create updated “clean” backup from restored asset.
In today’s dynamic threat environment, developing a risk management methodology is a strategic imperative for companies. NIST’s risk management functions are necessary steps an organization can follow to manage its risk and the impact of a cyber incident. It is important to begin the process; accept you need it and incorporate it into the business portfolio of critical operations that are required to be successful.