Part one of this series discussed how to survive a cyberattack by planning effectively and being fully prepared before putting a plan into action. Now, I want to delve deeper into the topic by examining what I call a “risk-based response” to an attack against your organization’s business-critical applications, including your ERP systems.
First, let’s look at the keywords for this process—readiness and response. Readiness is the plan, and the response is applied readiness. On the recent Onapsis and Dark Reading webinar on cyber resiliency, I presented a boxing analogy to demonstrate the critical need for organizations to regularly—and thoroughly—test their incident response readiness.
Imagine someone who knows a lot about boxing theory. They’re a huge fan and have watched countless bouts. They believe that based on the observational knowledge they’ve acquired, they’re ready to climb into the ring and box a professional. What happens when that professional hits them in the face, hard? That “expert” is going to be shocked. And very sore. They have learned the lesson that if you haven’t conditioned yourself and aren’t able to think on your feet, you're not ready for the fight.
Practice matters in boxing and cybersecurity, because muscle memory is crucial for success in both realms. Once the fight (or cyberattack) starts, the plan is out the window. You're now working from muscle memory. Having that well-practiced agility and memory in the throes of a real security incident is essential. That’s why risk-based response in cybersecurity is all about making sure you're committing the time and resources that matter most where they will have the greatest impact.
Years ago, when I worked for another company, I was sitting in my office thinking about the challenge of ERP security. I looked at a printer and had an “aha!” moment. I realized that this company—and most companies—spent more of its security budget patching printers than securing its ERP systems. In other words, they were tackling easy things while ignoring hard things. When it comes to incident-response planning, all of your assets are not equal in value. For example, one PC catching fire does not have anywhere near the impact on your business that your ERP system or other business-critical application catching fire would. That’s why it’s essential to understand which assets support your organization’s most important business functions. And if one of those assets experiences a security incident, you must be prepared to commit your fastest, most comprehensive response—everything you've got in your security toolbox—to restoring services on that critical system as fast as possible. That's a risk-based approach.
Many organizations create incident response playbooks based on the type of attack, such as DDoS or malware. That’s fine, but when you’re talking about responding to a security incident aimed at a business-critical system, it’s a very different kind of fight. The challenge is to understand your environment and create cybersecurity playbooks for critical infrastructure and applications. And that’s why practice makes perfect, whether you’re boxing, playing the piano, or working to ensure you can defend your organization against a cyberattack. The following slide provides a best-practices approach to effective security planning.
Failure to commit time to practice incident response is one of the major reasons organizations fail when they suddenly have to respond to a security incident. Inadequate performance measurement of incident response is another point of failure. That’s why as you perform these planning exercises, you need to publish scorecards that show how ready you are—or aren’t—to respond to an incident.
Four Key Takeaways
- Cyberattacks are painful, but thoughtful and concise planning and preparation built on a risk-based approach can minimize the time and maximize the impact of your response.
- Fill your toolbox with capabilities now, so you have options and advantages in place when you need to respond to an incident.
- Develop and test playbooks to create muscle memory for incident response activities.
- Proactive incident response planning gives executives and board members confidence that the company is fully prepared to ensure the impact of incidents is as small as possible.