The SMB’s Guide To Incident Response
At almost every conference I attended in 2023, there was a presentation from an IT leader (usually a municipality), walking the attendees through their experience with a ransomware or breach incident. These were not theoretical discussions; Rather, these presentations were full of practical advice and surprising turns that only a person who’d been through it for real could share. And that’s the thing – how these incidents get handled is very different from what you might be used to in your tabletop exercises. (Assuming you do tabletop exercises.)
Fun fact: Every presenter uses the word “incident” rather than “ransomware” or “breach” because, well, lawyers. Fair enough.
Let’s hit the highlights.
Three Non-Technical Essentials in IG1
Incident Response is a whole thing. Done thoroughly, it entails doing all the research, busting out the aforementioned tabletop exercises, chasing down the hacker, cleaning up your network, remediating the problem, performing the postmortem, and so on.
Put politely, there is no way smaller organizations can do all that; they simply do not have the expertise or the time. So, what can they actually do?
Cue the CIS Controls’ Implementation Group 1 (IG1). Developed by the Center for Internet Security (CIS), the CIS Controls are, in their own words, “a relatively short list of high-priority, highly effective defensive actions that provide a ‘must-do, do-first’ starting point for every enterprise seeking to improve their cyber defense.” Now in its eighth iteration, they are the path of least resistence for improving an organization’s foundational cybersecurity stance and solving common security problems in the “real world”.
They are broken up into pre-prioritized Implementation Groups (IGs) based on the maturity level of the organization. All the recommendations here are included in IG1, “the on-ramp to the CIS Controls,” and a collection of “essential cyber hygiene [practices that] represent an emerging minimum standard of information security for all enterprises.”
You might be surprised at how non-technical and non-threatening they might be.
- Know who you should call. Identify who’s in charge when things go south. Titled “Designate Personnel to Manage Incident Handling,” this one lets you know who your friends are – or at least what your plan is in the event of a cyberattack. There will be one or two people who take the lead, and they’re responsible for managing the contacts that need to get contacted. In other words, assembling the troops and calling in reinforcements. In a small organization, you won’t turn to your “crack security staff” that you unfortunately don’t have. The answer here might come as a surprise: The first call you probably need to make is to your cyber insurance vendor. They’ll work with your 3rd party incident response vendor (if you have one) or bring in their own, but if you want things to go smoothly, they need to be involved right away. That’s step one.
- Know who you must call. This step – called “Establish and Maintain Contact Information for Reporting Security Incidents” – is where the rubber meets the road. Problems can multiply quickly if not properly taken care of. That means knowing the reporting agencies and understanding who you are obligated to protect. This is largely compliance (spelled CYA) and needs to be done. Each industry has different requirements, from HIPAA to FINRA, and federal and state mandates are changing daily, it seems. You are accountable for all of them, whether you know which ones those are or not, so do your research until you know who you are supposed to call to report an incident. Failing to notify the right powers once you’ve suffered a cyberattack could land you in legal trouble and fines, exacerbating an already bad situation. And the upside is that a lot of these agencies will also have resources to help you. (Think DHS for cities and counties.)
- Know what to say. Referred to as “Establish and Maintain an Enterprise Process for Reporting Incidents”, this step encompasses knowing what you need to report and how fast. For instance, the SEC just amended the Safeguard Rule to require all non-banking financial institutions to report a breach within 30 days of discovery. The law and agency will dictate what you need to report – in this case, any instance of unencrypted customer data that has been accessed by an unauthorized third party – to avoid legal headaches. Lean on your lawyers or your cyber insurance vendor, and tell the agencies exactly what’s required to be in the clear, and nothing more.
The Bare Necessities
Most SMBs and smaller government organizations won’t have the resources to carry out Incident Response full bore as outlined in CIS Control 17: Incident Response and Management. And that’s okay.
The point is that when something does come, you and your team aren’t caught flat-footed. Thanks to the most basic steps found in IG1, when a security incident catches you off guard, your organization will know who you should call, who you must call, and what to say.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.