Every Small Business Needs an Incident Response Plan. Here’s How to Start One.

Jonathan D. Gough, Ph.D. & Niko Zivanovich
November 22, 2021
Blogs | Cybersecurity

Most small businesses have a list of priorities they’re focused on to make their business successful. For many, cybersecurity doesn’t show up very high on the list—if it shows up at all. Cybersecurity can seem complicated, its solutions are often expensive, and the threat from a cyberattack may seem unlikely. Even if a small business wants to take action, they may not have the internal resources and skills to even know where to start.

For these reasons, some small businesses may be tempted to ignore the threat or just hope that a cyberattack doesn’t happen to them. After all, one might think that malicious actors are probably focused on bigger fish. While it may seem that way in the news, the reality is that 43% of cyberattacks actually target small businesses, and the average cost of a data breach for a small business is $3.9 million, according to Cybint. In the cybersecurity world, it’s not a matter of “if” an incident like this will happen, but “when.”

Unlike larger companies, small businesses may be less equipped to bounce back from a cyber incident. It can be difficult or impossible to recover data that is lost if it’s not backed up. The financial damage of an attack can be substantial. Leaking or exposing customer data can damage a company’s reputation and result in loss of business. Fortunately, there are some practical—and in some cases low tech—steps that companies can take to protect their business and their reputation.

Cybersecurity is about people as much as technology

Protecting a business from a cyber incident isn’t just about standing up sophisticated cybersecurity tools. While malicious actors might try and break into a company’s IT systems through a direct attack, it is easier and more likely that such adversaries will try to gain access through a social engineering attack. This means that the biggest vulnerability to a business’s IT systems is actually their own employees. 95% of cybersecurity breaches are caused by human error, as reported by Cybint.

Through social engineering, malicious actors can prey on the good nature of your employees, manipulating them into handing over sensitive information. For example, a hacker may dupe your employee into clicking an email that installs a piece of malware. Employees who are stressed out, aren’t focused, or are particularly empathetic may be more vulnerable to these kinds of attacks. In creating a plan to protect against cybersecurity incidents, employee training and education are important tools in mitigating risk. This includes providing clear guidance on what employees should do if they spot, or are dealing with, a social engineering attack. 

Reduce security risks with an incident response plan

For small businesses, having a plan in place to respond to cyber threats can go a long way in avoiding an incident in the first place, mitigating its impact if it does happen, and bouncing back to normal business operations as quickly and safely as possible. Being prepared is less about having the most sophisticated security technologies and more about knowing your IT environment, understanding your vulnerabilities, educating your employees, and putting into place the right controls to prevent unauthorized use of your IT systems, equipment, and devices.

If an attack does happen, some seemingly small precautions can make all the difference in the world in mitigating damage. This includes having updated contact information for your IT help desk, being able to shut off access to compromised systems quickly, and having your IT systems and data backed up separate from your IT environment in isolated backups.

Having a plan in place to address all of these situations greatly reduces the time to respond to, and recover from, cyber incidents. This type of plan is referred to as an incident response plan. Unique for every company, it is a guide created by your business to provide your employees and IT personnel with guidance on what to do in the event of an unauthorized access of your IT systems.

Incident response plans are typically broken down into four categories: 1) Preparation, 2) Identification, 3) Containment and eradication, and 4) Recovery. Let’s walk through each of these categories and see how they can help protect your business against a cyber incident or attack.

1) Preparation: Don’t fail to plan or you’ll be planning to fail

Any good incident response plan will include measures designed to prevent a cyber incident from happening in the first place as well as guidance on what to do if one happens. Here are some
key tips:

Get your security contacts in order: An important part of preparing to handle a cyber incident is simply knowing who you can call if one happens. Keep an up-to-date list of important contacts and parties responsible for critical systems and business operations. You don’t want to be experiencing a breach or attack and be delayed trying to identify who to call. You can also consider partnering with an incident response or cyber insurance firm who can help in the event that an incident is too big for your business to handle. In either case, you should practice looking up contacts and resources on your list so you’ll be ready if the real thing happens.

List your critical business assets: For every business, there are critical IT assets that need to work for the business to function. An important part of any incident response plan is identifying which systems are critical to supporting business operations—whether it’s ecommerce, customer experience, point-of-sale, payments, inventory management, order processing, communications, etc.

Backup everything that is important to business continuity: It is critical to store backups of your data and software on infrastructure that is completely separate from your IT environment. That way, if a cyber incident happens, you won’t experience a loss of important data and you’ll have the ability to roll back to your “known good backups” and restore business operations.

Focus on controls over policies: Having a good security posture means being able to control, to a certain degree, how your employees use their work computers and devices to conduct business. While it may be beneficial to communicate a set of policies around how computers and devices can be used, this can be difficult to enforce. A better approach is to build controls into the technology itself. For example, instead of just telling employees not to install programs that aren’t work related, you can set up controls on users’ work devices that limit their rights to install such programs without permission from your IT department.

2) Identification: Know what you’ve got so you can defend it

A key success factor in cybersecurity for any small business is knowing what you have in your IT environment and how to defend it: What IT equipment do you have? Which security solutions and technologies are available to you? Who are your employees and what kind of access do they have to your systems? It may sound simple, but this IT inventory is a critical part of building your plan because you can’t defend what you don’t know about.

Know what’s in your environment: Understanding what you have in your environment will make defending it a lot easier. A big part of this is knowing what security solutions you have and what their capabilities are. You may find that you can use a tool you already have in a different way. For example, you can use your endpoint and detection response solution to block communications to a malicious IP address if you do not have a firewall on your endpoints.

Know what your risks are: The next step is understanding what types of malicious events are most likely to happen based on your environment specifics. This could include ransomware distributed via a phishing attack, or a distributed denial-of-service attack against legacy firewall systems, or the compromise of VPN accounts due to the lack of multifactor authentication through those remote services. Understanding the nature of these potential threats will make it easier to identify and respond to them if they ever happen.

Know your operating baselines: Next, you’ll want to identify your IT operating baselines. This refers to what business activity and operations generally look like when your people use your IT systems. This will help you know when you have a deviation from those baselines, which could indicate malicious activity or an incident. There are many professional services and solutions providers in the market that can monitor your systems and alert you of an anomaly.

Empower your employees: To strengthen your security posture, it’s important to provide clear and simple instructions on how employees can handle security issues and incidents. For example, you can set up a “spam email box” where employees can forward suspicious emails for inspection. To encourage this good security practice, you can highlight employees who reported those emails in a public forum and or give out prizes to those who reported these incidents. 

Make security personal to gain buy-in: A great way to encourage employees to buy-in to good security practices is to make it relatable to their personal lives. Help your user base understand that security controls can be just as important at home as they are in a business context. Provide advice that helps employees protect their home and family—for example, explaining how they can teach friends and family to spot social engineering attacks such as phishing emails.

3) Containment and eradication: Mitigate the damage

The steps you took to identify your arsenal of security tools will be very important when it comes to containing and eradicating a cyber incident. Here are some key capabilities to stop an incident fast:  

Stop lateral movement: Security incidents, such as unauthorized logins, can be contained with the right application of security tools, which many companies already have. For example, you can block the IP address of the attack on the firewall so that the attacker can no longer control the originally compromised endpoint.

Shut down access: An important tool in containing incidents is having the ability to quickly shut off access in the event of a breach. That means having a plan in place to lock user accounts, reset passwords, deactivate compromised equipment, and contact the relevant help desk resources and parties responsible for different IT functions.

Eradicate the threat: Once the threat is contained, you need to eradicate it—whether it’s removing malicious code, deleting malware, or removing forwarding rules that an adversary might have placed in a compromised user’s email account. If you find that you didn’t have the right tool in place to eradicate the threat quickly enough, it’s important to reevaluate the identification phase of your incident response plan to put in place the tool you’ll need in the future to address the threat. This exercise is a continual cycle of refining and improving your plan to continually strengthen your security posture.

Ensure the threat is gone: Next, you’ll want to confirm that the threat has been contained and eradicated everywhere. When eradicating an unauthorized user or a piece of malware during a cyber incident, you are removing the threat from a particular endpoint at a specific time. But that doesn’t ensure that the threat has been removed from the entire environment.

4) Recovery: Confirm that the threat has been neutralized

The recovery phase of your incident response plan is about safely returning to business as usual.  

Return to business as usual: In the recovery phase, a compromise assessment needs to be done, during which you monitor for additional threats in an isolated environment and bring your systems back up to ensure no suspicious activity survived the rebuild. Malicious actors want persistence, and they achieve it through multiple doors of entry. The recovery phase is about confirming that the threat has been eradicated across systems, paving the way for you to restore your systems from backups and reintroduce them into your active environment as you return to business as usual.

The next step to protect your business

Having an incident response plan in place can go a long way to preventing cyber incidents from happening and limiting the damage if they do happen. The first step in any change is knowing what you don’t know. Converge can help you defend against cyber incidents and set up a continuity plan to protect your operations going forward.

Follow Us

Recent Posts

Maximizing Your Security Investments

Organizations have spent billions in various cybersecurity controls and countermeasures, yet many fail to maximize the potential of these investments to drive the ROI we should demand. One key area where organizations can realize significant value is within the...

Developing a Culture of Security  

In the interest of moving beyond conventional SAT guidance, it’s essential to treat employees as responsible adults capable of making informed decisions. By empowering individuals to assess risks, make sound choices, and respond effectively to potential threats, we...

Want To Read More?

Categories

You May Also Like…

Let’s Talk