You have probably heard the famous quote by Mike Tyson, “Everybody has a plan until they get punched in the mouth.” It is a quote that endures because it rings true in so many facets of life. It is especially applicable to cybersecurity. You may think you have a plan, until the inevitable day of discovery that you have been victimized by a data breach, ransomware attack, or other cyber incident. Companies with a well thought out incident response plan get through the grind of recovery. This is the true test to see if all that preparation and training was worth it. Do you trust that your team is aware to detect an incident early on? Are they certain of the sequence of events that should take place immediately? Their response has a direct impact on how well you can recover. Unlike a punch in the mouth, the inflicted damage of a cyber incident can last for years and cost millions.
A Dark Nightmare
Take the example of Athens Orthopedic Clinic. In 2016 it found itself in a very dark world. A hacking group that called itself the DarkOverLord breached the network of a cloud vendor that serviced the healthcare industry. They then took advantage of weak cybersecurity practices, allowing them to steal 655,000 patient records from three of their customers. Over half of these records were patients of the Athens clinic. The records were then uploaded to the dark web where the perpetrators threatened to sell the data unless the victimized organizations gave an extorsion payment to the criminals. For the next year the clinic endured the hardship of contacting its patients, creating press releases, cooperating with state and federal authorities, defending itself in litigation, and undergoing multiple third-party security audits. The dark journey finally culminated in September of 2020 when the clinic agreed to pay $1.5 million to the Office of Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. For them, the four-year dark journey ended.
The Large Majority is Unprepared
The story of Athens Orthopedic Clinic is not unique. Though it involves a different setting and its own cast of characters, it is a similar dark tale of many victimized organizations over the past decade. In a Forbes Magazine article in September 2019 titled, For Smart Companies, There’s Business Life after Cyberattacks, a long time cybersecurity vendor was quoted, “We felt we were well prepared for an attack, and we had a number of important defenses in place. But the hackers were able to exploit a very small weakness – and wreak havoc.”
The problem today is that few companies are prepared for such havoc. According to a 2020 study conducted by Cybersecurity vendor, FireEye, more than half of businesses operating across the globe are not prepared to combat cyberattacks. Another study conducted in 2019 of 175 security management professionals concluded that while cyberattacks were recognized as a real and incumbent danger by 87 percent of companies, only 15 percent felt they had adequate defenses.
What Your Company Needs in Order to Prepare
Your preparedness for a cyberattack begins with a comprehensive incident response readiness strategy. An incident response plan (IRP) outlines the steps that assigned personnel within your company must take in order to recover from a cybersecurity incident as quickly as possible to minimize damage and cost. The plan is a guide for your incident response team and company in the event of an attack.
Organizations should consider these essential elements of an incident response strategy:
- Incident Response Readiness Assessment – Do your plans meet NIST 800-61 and other best practices?
- Incident Response Requirements Review – What are your obligations and social responsibility in the event of a data breach or loss?
- Point-by-Point Incident Response Planning – Who are your first responders and what are their roles and responsibilities? What is the hierarchy of communication?
- First Responder Training – Are there new members of your first responder team? Are there new requirements the team should understand and address?
Your documented plan requires a periodic review to ensure everything is current. This holds true for re-training on those updates. A 2020 study showed that a trained and tested Incident Response team resulted in an average $2 million in data breach cost savings.
Training can keep teams aware of new threats and how to contain them before a breach can take place. Periodic training could be a low-cost way to harden your attack surface on a larger scale – such as identifying new phishing methods and how to properly dispose or report them.
Cyber insurance is also an increasing popular asset in your security arsenal. A proper cyber insurance policy reimburses your for both first-party and third-party costs associated with an incident. First-party costs include remediation costs, business interruption costs, and forensic investigations. Third-party costs include fees paid to retain specialists for services involved in litigation, investigations, and governmental inquiries as well as PR and communication related costs. It is important to note that many insurance carriers ask if a company has an IRP when applying for cyber insurance. Having an IRP can impact an organization’s premiums.
Create Your Shield of Preparedness
An IRP can be the difference between success and failure immediately following a cyber incident. Update your strategy with a comprehensive incident response readiness program to mitigate your risk and reduce the impact of a cyber incident.