Tis the season for security and IT teams to send out that company-wide email: "No, our CEO does NOT want you to buy gift cards."
As much of the workforce signs off for the holidays, hackers are stepping up their game. We'll no doubt see an increase in activity as hackers continue to unleash e-commerce scams and holiday-themed phishing attacks. Hackers love to use these tactics to trick end users into compromising not only their personal data but also their organization's data.
But that doesn't mean you should spend the next couple of weeks in a constant state of anxiety.
Instead, use this moment as an opportunity to ensure that your incident response (IR) plan is rock solid.
Where to start?
First, make sure that your strategy follows the six steps to complete incident response.
Here's a refresher:
The 6 steps of a complete IR
- Preparation: This is the first phase and involves reviewing existing security measures and policies; performing risk assessments to find potential vulnerabilities; and establishing a communication plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation stage of your IR plan is crucial as it gives you the opportunity to communicate holiday-specific threats and put the wheels in motion to address such threats as they are identified.
- Identification: The identification stage is when an incident has been identified – either one that has occurred or is currently in progress. This can happen a number of ways: by an in-house team, a third-party consultant or managed service provider, or, worst case scenario, because the incident has resulted in a data breach or infiltration of your network. Because so many holiday cybersecurity hacks involve end-user credentials, it is worth dialing up safety mechanisms that monitor how your networks are being accessed.
- Containment: The goal of the containment stage is to minimize damage done by a security incident. This step varies depending on the incident and can include protocols such as isolating a device, disabling email accounts, or disconnecting vulnerable systems from the main network. Because containment actions often have severe business implications, it is imperative that both short-term and long-term decisions are determined ahead of time so there is no last minute scrambling to address the security issue.
- Eradication: Once you've contained the security incident, the next step is to make sure the threat has been completely removed. This may also involve investigative measures to find out who, what, when, where and why the incident occurred. Eradication may involve disk cleaning procedures, restoring systems to a clean backup version, or full disk reimaging. The eradication stage may also include deleting malicious files, modifying registry keys, and possibly re-installing operating systems.
- Recovery: The recovery stage is the light at the end of the tunnel, allowing your organization to return to business as usual. Same as containment, recovery protocols are best established beforehand so appropriate measures are taken to ensure systems are safe.
- Lessons learned: During the lessons learned phase, you will need to document what happened and note how your IR strategy worked at each step. This is a key time to consider details like how long it took to detect and contain the incident. Were there any signs of lingering malware or compromised systems post-eradication? Was it a scam connected to a holiday hacker scheme? And if so, what can you do to prevent it next year?
How lean security teams can stress less this holiday season
Incorporating best practices into your IR strategy is one thing. But building and then implementing these best practices is easier said than done when you don't have the time or resources.
Leaders of smaller security teams face additional challenges triggered by these lack of resources. Bare-bones budgets compounded by not having enough staff to manage security operations is leaving many lean security teams feeling resigned to the idea that they will not be able to keep their organization safe from the onslaught of attacks we often see during the holiday season.
Fortunately, there are free resources for security teams in this exact predicament.
You can find everything from templates for reporting on an incident to webinars that do deep dives into IR strategy, along with intel on the most recent cybersecurity threats within Cynet's Incident Response hub. And to further help lean security teams should an incident occur, they are offering a free Accelerated Incident Response service.
If you want to check out these free resources, visit the Accelerated Incident Response hub here.
May your security team hold down the fort these next two weeks while enjoying the holidays anxiety free.