Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Technology

5 Decisions to Make Now for a Successful Cyberattack Incident Response

Published : , on

By Sean Deuby, Director of Services, Semperis 

Picture a great fortress built into a mountain pass. Within it are some of the most advanced defensive weaponry ever devised, an armory capable of bringing even the strongest army to heel. There’s just one problem: No one has bothered to establish a clear chain of command.

When the fortress comes under siege, the soldiers descend into chaos in moments. It doesn’t matter that they have better technology or that they know how to use it. Without leadership, they cannot mount an effective response.

Experiencing a cyberattack is an immensely stressful experience, ripe for disorganization. And although having a technical response plan is all well and good, many businesses fail to account for something equally critical. When their business is under fire, who’s responsible for pulling the trigger on response and remediation efforts?

This is the question I sought to answer in a recent episode of the Hybrid Identity Protection podcast “Defining the Decision-Making Process for Cyberattack Incident Response,” featuring Accenture Senior Security Manager Benjamin Cauwel. Make the following five decisions now for a successful incident response in the event of a cyberattack.

  1. Define a plan beforeyou need one

Some people are completely unflappable, the dictionary definition of grace under fire. For most of us, however, the sheer stress of a cyber incident can and will lead to mistakes. It’s better that we’re able to simply turn off our brains and follow a simple, step-by-step process.

Understandably, trying to chart that process while ransomware is rampaging through your network is a recipe for disaster.

“Just like on the technical side, you don’t start inventing this stuff when you’re under attack,” Accenture Senior Security Manager Benjamin Cauwel explains. “You have to define this when everyone is nice and calm, and it’s something everyone has to agree upon. Once everything is validated, stamped, and defined, there’s only one clear process to follow.”

  1. Establish a chain of command

Especially in large or multinational businesses, it can be difficult to determine how the organizational structure applies during an incident. A business may consist of multiple groups, several countries, and several entities within each country. What can a business do when its headquarters is in a completely different country and time zone from a segment that’s under threat?

When defining this chain, you must account for factors such as time zones, languages, and cybersecurity legislation because all of these will play a part in your response.

“You have to establish a responsibility assignment matrix,” says Cauwel. “Who’s making the decisions? Who’s accountable, who’s contributing, and who’s informed?”

“You need to define different scenarios at different levels, ranging from attacks that impact a single entity to those that impact multiple countries,” he continues. “You basically map things out depending on the type of the attack and the scope of the attack.”

  1. Maintain external lines of contact

Most of us probably remember the October 4, 2021, outage of Facebook parent company Meta. During that incident, the company’s employees were effectively cut off from one another. All the company’s internal communication tools were reliant on the infrastructure that went down. There’s a lesson to be learned here.

Namely, if your incident response plan requires internal communication, make sure you’ve also defined a platform you can use that’s independent of your own infrastructure.

“I always call Active Directory tier zero or ground zero,” notes Cauwel. “It’s the base of all your infrastructure, and if that base were to come down, everything collapses with it. That includes internal communication tools. Most companies don’t consider that and just assume they’ll be able to collaborate via email and the like.”

“During a cyberattack, you also don’t know if your communication tools are compromised,” he adds. “So even if they’re online, they might not be safe to use.”

  1. Expect plans to change

No incident, no matter how complex, proceeds in an orderly, completely predictable fashion. Even if you’ve gamed out the best-understood or likeliest disruptions, there’s no guarantee that you won’t encounter something unexpected. In this scenario, whoever’s at the top of the chain of command must decide how to proceed.

A preexisting plan provides an invaluable framework for that decision.

“On the technical side, you need to have listed business impacts for each remediation action,” says Cauwel. “That way if an organization needs to adjust its response, the person responsible for making that decision can be given a clear idea of their options, as well as the pros and cons of each. They know their choices, but which one they choose to act on is ultimately up to them.”

  1. Understand that “no decision” isa decision

“Some people don’t want to be decision-makers,” Cauwel explains. “They don’t want to be accountable for anything. Even if you explain everything to them and they fully understand what you’ve described, they still refuse to act.”

But as the old maxim goes, refusing to act is still a decision. It’s one that wastes both time and money and leaves your organization potentially unprepared to respond to a cyber incident.

“It’s the worst behavior possible,” Cauwel continues. “When you reach a certain level in an organization, it’s your job to be accountable. Even the best-defined emergency procedures are useless if you don’t follow them.”

Process and technology are two sides of the same coin

In every incident, there are two levels of response. The first level is the chain of command. An organization’s leadership must establish a RACI matrix, workflows, and collective agreement on who is responsible and accountable in any given circumstance.

The second level is the technical side. It’s guidance for IT and security teams on what actions they must take. It’s information on the available remediation methods and their impact.

You cannot have process without technology, and vice versa. Technical measures need to be backed by processes, and processes need technical measures to enact.

“Incident response isn’t just about technology,” Cauwel concludes. “It’s largely about human interaction. When things go wrong, both sides must be functional and thinking straight in order to remediate everything and come back to a working situation as soon as possible.”

About Author:

Sean Deuby brings 30 years’ experience in Enterprise IT and Hybrid Identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel’s Active Directory, Texas Instrument’s Windows NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity technology since its inception. His experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today’s identity-centered security. Sean is also an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on Active Directory, Azure Active Directory and related security, and Windows Server. He has presented sessions at multiple CIS / Identiverse conferences. 

Jesse Pitts has been with the Global Banking & Finance Review since 2016, serving in various capacities, including Graphic Designer, Content Publisher, and Editorial Assistant. As the sole graphic designer for the company, Jesse plays a crucial role in shaping the visual identity of Global Banking & Finance Review. Additionally, Jesse manages the publishing of content across multiple platforms, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post