Steve Brining, Cybersecurity Evangelist at Acronis.

Steve Brining, Cybersecurity Evangelist at Acronis, says: “Organisations often learn the hard way that a solid security posture, continuous monitoring, employee training, and having a well-tested incident response plan are crucial.” South Africa has the sixth most dense cybercrime rate globally. Breaches can be massively costly, with the average cost to an organisation being R50 million, and reputational damage can have far-reaching effects. This clearly represents the need for a structured approach detailing steps a company should take when an incident occurs. The goal is minimising disruption to operations and subsequent damages, including reputational harm, failure to meet Service Level Agreement obligations, loss of partner and customer trust, legal and insurance liabilities, while getting the company to resume normal operations quickly.

As well as helping an organisation handle its cybersecurity breaches, an incident plan can be used for other eventualities, from onsite disasters to severe weather incidents – and, in South Africa, the risk of loadshedding and interruptions to the power supply.

In the case of a cyber-attack, it helps companies identify, contain, eradicate, and recover from security incidents, ensuring business continuity, protection of sensitive information, and maintenance of operations.

“Your organisation needs to have a skilled team in place to manage the plan. This team needs to have the necessary tools to implement the required security policies,” Brining says. “The team leader needs strong interpersonal and communication skills.”

To create an effective plan, organisations should start by doing a thorough risk assessment. Correct risk analysis will allow you to identify potential vulnerabilities and threats to various assets, and then prioritise them based on the likelihood of their occurrence and the severity of their potential impact. An organisation must determine what constitutes an incident, categorise its severity, and outline clear procedures for each scenario. Make sure every team member knows their roles and responsibilities. For example, in a response plan, you would have different protocols in place for a fire, a worm, or a ransomware attack.

If suspicious or threatening activity has been identified, it must be handled in an expedient manner. If it’s a cyberattack, minimise the time the attackers are on the network. Isolate, eradicate, and recover while monitoring the systems to ensure the threats are neutralised.

Post-incident analysis is also important. The response to an incident needs to be reviewed and updated. You can then find ways to strengthen your security posture to prevent future occurrences.

Brining explains that a clear internal and external communication plan needs to be in place. This ensures that stakeholders are informed in a timely manner, and that any public statement that needs to be made is done with reputation management in mind. Having a legal representative on the team is essential – for compliance reasons, and also to protect your organisation from any potential lawsuits. It may also be necessary to engage with law enforcement and forensic investigators. Preserving the evidence in the case of an investigation must be considered, and the proper chain of custody must be followed. Public relations and reputation management are critical throughout the process, he says. Build relationships ahead of time with outside experts who can assist in the event of a disaster, so that the right people will be there when you need them, at the right price. After a disaster has occurred, you are in a weak negotiating position for any expertise that you urgently require to get back up and running. Once you have your plan in place, test it regularly; there are many ways to do this, from tabletop exercises and simulations to live fire drills. Review the plan every time technology, personnel, or business processes change. All changes can create potential vulnerabilities and threats.

Educating your employees is also important. “The more awareness they have, the smaller the chance of human error,” Brining says. “Foster an awareness of cybersecurity in your organisation. The concept of ‘see something, say something’ needs to be reinforced.” Most of the malware that threatens an organisation is sent via email. Email attacks have surged by 400% in the past 18 months. To guard against this onslaught, Acronis has an email security solution – Advanced Email Security – which provides a defence mechanism, intercepting a wide range of email threats. “With email being such a huge attack vector, this proactive solution offers comprehensive protection from malicious email challenges, blocking many threats before the malware reaches your users’ inboxes,” Brining says.

Investing in preventative measures is essential in today’s security landscape. “What we have learned at Acronis, from our years in the cyber protection business, is that having one console makes responding efficient, and recovery faster. We offer a complete cyber protection solution with a host of data protection and cybersecurity features, ranging from backup, disaster recovery, endpoint protection, patch management, and others,” Brining says. In today’s increasingly uncertain cyber environment, Brining says thorough risk analysis, and the correct implementation of a cohesive plan, are priorities. “When people are under stress, errors can occur during incident handling, so proper preparation with clear roles and responsibilities should be laid out before a disaster occurs,” he concludes. 

Register for our free on-demand workshop on incident response planning, and access our free IRP checklist, template, and other valuable resources here https://kur.cat/JmkGe