How to Respond Quickly and Effectively to a Cyber Breach

Cyber security is one of the most significant risks businesses of all types and sizes face today. According to Statistics Canada, Canadian businesses spent $14 billion on cyber security in 2017. That figure is certainly much higher in 2019 and doesn’t begin to account for the unknown financial, reputational and regulatory damages from attempted and successful breaches. It will only continue to increase as attacks become more numerous, targeted and sophisticated.

[ compact ]

  • Cyber incident prevention is only one half of an effective risk management strategy.

  • Incident response planning is critical for limiting the damage from an attack, managing vulnerabilities and ensuring business continuity.

  • New legislation increases the stakes for Canadian businesses to report to stakeholders and regulators about breaches, remediation steps and damages.

Tomorrow’s technology is shaping business today. Contact MNP to help you build an effective cyber response strategy.

Despite the large and growing risk of a cyber breach and greater investment toward cyber risk management, many businesses have yet to implement a comprehensive plan outlining how they will respond to and recover from an attack. Investing in prevention is a necessary and encouraging first step. But the odds any business will face a breach of some sort is almost certain. So, the more important question is how will you protect your clients, employees and reputation if an attacker manages to bypass every line of defense?

The Value of an Incident Response Plan

Every business should be familiar with emergency response planning. Tactics like regular fire drills ensure everyone will be safe, orderly and know exactly what’s expected in a worst-case scenario. Cyber incident response planning follows a similar methodology.

Administered by a dedicated incident response team — either managed internally thorough the IT department or by a third party — it outlines a detailed, practicable, step-by-step protocol to identify, contain and recover from a cyber breach. The plan governs everything from how employees will communicate a breach (and to whom), how to neutralize the threat and communicate with stakeholders, key responsibilities and legal requirements and a path to restore operations and action lessons learned.

An incident response plan will not prevent a breach of your systems, but it does provide structure and consistency in a stressful and chaotic period when time is of the essence. More importantly, it is your best opportunity to minimize damage and ensure the continuity of your operations.

The Anatomy of a Cyber Breach Response Plan

You need to move quickly when business becomes the victim of cyber crime. The moment you detect suspicious activity on your network, mobilize your incident response team immediately and follow these seven steps:

1. Isolate the problem and prevent it from escalating.

Locate the threat in your network and quarantine or neutralize it. If possible, eliminate the hacker or malware’s ability to access your information or inflict further damage.

2. Determine the cause of the breach and prioritize your next steps.

Identify the technique or vulnerability exploited to gain access to your systems (i.e. social engineering, technical failure, etc.). Determine which actions you need to take to secure your network and prevent a similar attack from happening again.

3. Maintain a log of all events, actions and evidence.

Create a detailed timeline of the breach, from how and when it originally occurred to how it was identified and all subsequent steps, directives and communications moving forward. Preserve all logs, screenshots and first-hand accounts of team members.

4. Take steps to resolve the issue, restore operations and remedy vulnerabilities.

Close all identified gaps or eliminate the quarantined malware from your network. Once you’re confident the threat is over, implement new controls to prevent a recurrence and bring your systems back online.

5. Communicate concisely with both internal and external stakeholders.

Keep all relevant parties — including the board and executives, legal team, regulators, employees, media and clients — updated on the status of the breach and steps you’re taking to eliminate the threat. Know your reporting requirements and best practices for communicating about cyber incidents.

6. Follow federal Breach of Security Safeguards Regulations.

Determine whether and to what extent the breach has potential to cause a ‘real risk of significant harm.’ Notify the relevant parties — both clients (if applicable) and the Privacy Commissioner of Canada — of the breach, cause and circumstances surrounding it. Keep all compliance certification documents and records on hand for at least 24 months and ensure you comply with the Digital Privacy Act regulations.

7. Catalogue lessons learned and integrate into future incident response planning.

Conduct a post-mortem to determine what went wrong, what went right and how you could both prevent and respond more effectively to similar incidents in the future. Revise your incident response plan and conduct a maturity threat assessment to re-evaluate potential cyber security vulnerabilities.

Improve Your Cyber Resilience

The most effective cyber security programs are proactive, multi-faceted and responsive to evolving risk exposures. Common controls like firewalls and anti-malware software — as well as certification with key security protocols, periodic threat analysis and penetration testing — are all critical parts of the equation. But even comprehensive measures may not be enough to prevent a diligent hacker from gaining access.

Having and, more importantly, regularly practicing a cyber incident response plan is your best protection against the potential financial, reputational and legal consequences of a breach. Given the countless ways cyber criminals can enter your network, peace of mind is knowing you have a plan to recognize, contain and recover from the attack before it’s able to inflict lasting damage.