71 days.
This is the median time that a cybersecurity breach went undetected by organizations in North, Central, and South America according to FireEye. This is known as dwell time, which FireEye defines as the following:
Dwell time is calculated as the number of days an attacker is present on a victim network from first evidence of compromise to detection.
What FireEye is saying is that some organizations were in the dark about a cyberattack for over two months. That number could be even longer if the hackers were on the network longer than the evidence indicated.
When it comes to cybersecurity, I’ve already written about addressing this problem—something I call The Silent Bad Actor. However, identifying The Silent Bad Actor is not the only factor in mitigating your cybersecurity exposure.
Having a breach response plan is just as important.
Whether a hacker is on your network seven days or 71 days, a breach is a breach.
In either situation, you should have a plan to facilitate rapid response.
Putting Your Breach Response Plan on Paper
Every business should have a breach response plan.
Why do you need a formalized strategy? There may be more reasons, but here are three important ones:
1. A crisis requires a clear course of action. If your organization discovers a breach, a successful response depends on there being no confusion about what steps to take. After a cybersecurity incident, you may be dealing with dysfunctional business operations, public reputation management, and stakeholder meetings. A breach response plan provides clarity on what measures will mitigate your risk and supports speed of response to minimize impacts.
2. Reliance on individuals’ expertise is risky. Even if you have in-house cybersecurity experts, there’s no guarantee each team member will be available when it matters most. An employee out sick or on vacation can deprive your business of critical information at a critical time.
3. It plays a role in the NIST Cybersecurity Framework. Another reason having a response plan is so important is that NIST makes it an integral part of its Cybersecurity Framework. To refresh your memory, the NIST Cybersecurity Framework involves the following pillars of cybersecurity:
- Identify
- Protect
- Detect
- Respond
- Recover
For the “Respond” pillar of the Framework, NIST writes that this includes a “[r]esponse plan [that] is executed during or after an incident.”
A breach response plan empowers your business to follow IT best practices when it matters most. It can bring clarity of action to a concerning event.
So what are some key elements a breach response plan might include?
What Should You Include?
While every business needs a process for navigating an incident, not all processes are going to look the same. A thoughtful strategy should be tailored to your unique business requirements.
However, a good breach response plan should answer these questions based on the Incident Handler’s Handbook from SANS:
- How will my business contain the incident to stop the bleeding?
- How will my business free its IT assets from the effects of the attack?
- How will my business resume normal operations without risking our cybersecurity?
- How will my business learn from this cybersecurity attack?
Is a Breach Response Plan Necessary?
As we wrap up our review of response plans, let me end with a quote from one of the biggest tech giants in the United States:
IBM contends that attacks are a matter of “when” not “if.”⁽⁵⁾ Former Cisco CEO John Chambers said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.” ⁽²⁾
In light of this, your business needs to answer some very important questions.
If your company gets hacked tomorrow, do you know what to do?
Will you have a response process to follow?
If not, now is the time to create a response plan that mitigates your risk.
If you need help creating your cybersecurity response plan, you can reach out here or give our team in Charlotte a call at 704-464-3075.
About Steve Kennen
As an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for small businesses, Steve spearheads initiatives that keep his clients secure and their business operations running smoothly. His core message is that the details matter.