It's time to prepare for tomorrow's incident response. It's not like yesterday's, and companies that don't embrace the difference could find themselves in dire straits when disaster strikes.
The incident response landscape has changed drastically in the last year. This is partly due to the shift in working patterns as people migrated to hybrid working. The bigger change stems from shifting attitudes among insurance companies, and to some extent, business customers.
Insurers, Customers Are Scrutinizing Security
Insurers spooked by rising numbers of cyber-related payouts are taking a more active role in incident response. We've seen some demanding to bring in their own preferred cybersecurity partner when a customer reports an incident as a condition of making a claim. Others are limiting their liability, introducing clauses that exclude clients from coverage during the first hours or days of an incident.
Companies are also facing pressure from their own business customers, who are demanding a greater focus on cybersecurity. Supply chain security has become a focus for more companies since the SolarWinds and Kaseya debacles, in which compromised products created problems for thousands of downstream users. This has led more companies to demand proof of adequate round-the-clock cybersecurity coverage from their suppliers, and it's created a wider pool of liability for insurers to consider when determining coverage.
Incident Response Plans Must Adapt
What does this mean for incident response teams? The most critical element is an increased focus on speed. This in turn emphasizes the need to focus on earlier stage incidents that can be a precursor to a major breach. Responding to "small" incidents before they become "large" events is the goal.
Attack victims not covered during the first hours of an incident must respond quickly to limit the financial impact. Unfortunately, attackers are making it harder.
Ransomware criminals are most active outside office hours. They know that security teams will be poorly staffed at these times, if they're in the office at all. Nuspire's partner Cybereason recently surveyed 1,200 companies that had suffered a ransomware attack out of regular working hours. Half of them suffered a slower response as a result, partly because it was difficult assembling team members on weekends or holidays, even with an incident response plan in place. That often led to increased revenue losses from a ransomware attack, respondents said.
Some skills, such as digital forensics, are difficult to bring in-house at all. These specialized skills are rarely used, but they're critical when needed.
Companies Need an Incident Response Continuum
There are two levels of incident response. The first is the one that most businesses understand: the response to big-ticket, show-stopping events. These are the things that keep you up at night: the theft of customer records, a ransomware disaster, or a business email compromise that siphons millions of dollars from company coffers. This can be thought of as traditional "Big Incident Response."
The other kind of incident response involves smaller, isolated events. This could be a ransomware infection on a single laptop, a single phishing email, or a one-off case of unauthorized access. People often treat these as everyday incidents — episodes that irritate administrators but which get dealt with sooner or later. Some see this as the small stuff that you don't need to sweat.
That's no longer true. Ransomware and other forms of malware now move more quickly than ever. Tonight's isolated incident could be tomorrow morning's disaster.
Insurers and clients alike increasingly understand this and want proof that you're tackling these issues to avoid large breaches later. That means incident response is no longer a discrete process; it's a continuum that begins with the first incident alert (and hopefully ends there).
We must also increase our understanding of what happens at the other end of the incident response spectrum, when insurance companies might get involved. This begins even before forensics professionals hit the ground.
Clear communication with insurance carriers ahead of major incidents is crucial to understand their expectations. So is an understanding of the legalities around the incident response process, including who the victim contacts first. For example, insurers might demand that the victim contact them initially, but talking to an attorney first might make some information privileged to prevent discovery later. There are also nuances involving what the victim says. Even using the word "breach" in communication could trigger a deadline for informing regulators or customers.
Companies must establish a strong team with a clear chain of command, so that everyone understands who has control in terms of a crisis. Then, these teams must conduct regular tabletop exercises to game out major breach scenarios. Knowing who does what is essential.
This is a lot for companies to handle, especially given the need to be just as diligent outside regular working hours. Now more than ever, when it comes to handling cybersecurity problems, speed is of the essence.