By Tim Rollins
Cyberthreats are constantly evolving and growing in sophistication, while at the same time, privacy regulatory regimes are increasingly mandating that organizations do a better job protecting consumers’ sensitive information. The risks these trends pose have only been compounded over the past few years as a result of disruptions caused by the pandemic, social and political polarization, and increased social awareness of trends in digital ethics, privacy rights, sustainability, and climate change activism.
According to IBM’s Cost of a Data Breach 2023 report, cyberattacks across the globe have cost organizations US $44 billion in losses in 2022. While the average cost of a critical infrastructure data breach was $4.82 million, mega-breaches affecting over 1 million records cost, on average, US $400 million. One factor relating to those high costs is the amount of time it takes organizations to identify and contain data breaches. Globally, organizations took an average of 204 days to identify a breach, and then another 73 to contain it. But with a cyberincident response plan in place, organizations can potentially shave significant amounts of time off both of these timelines, saving their organizations financial expense and critical resources.
Cybersecurity Incident Impacts
Data breaches, ransomware attacks, internal theft and fraud, and cybersecurity incidents in general impact organizations in multiple ways. In part because of these multiple, cascading consequences, it’s imperative that organizations protect all the sensitive information in their possession and develop plans to minimize the impact of cybersecurity incidents when they occur. Each of the following impacts can be quite severe on their own, but most incidents will cause several, if not all, of these consequences.
Reason 1: Financial Loss
Security breaches can lead to direct financial losses, such as theft of funds, unauthorized transactions, or fraudulent activities. Hackers may gain access to sensitive financial information, including credit card details or bank account credentials, and use them for malicious purposes.
Reason 2: Business Disruption
Security incidents can disrupt normal business operations, leading to downtime, reduced productivity, and financial losses. Organizations may experience service disruptions, system outages, or compromised data availability, impacting their ability to generate revenue and serve customers effectively.
Reason 3: Remediation Costs
After a security incident, organizations must invest in remediation efforts to address the vulnerabilities, restore systems, and recover from the breach. This can involve hiring cybersecurity experts, conducting forensic investigations, implementing security upgrades, and enhancing infrastructure.
Reason 4: Legal and Regulatory Penalties
Data breaches or other cybersecurity incidents may reveal that the organizations has failed to protect customer data or violated data protection regulations, subjecting them to substantial fines and legal penalties.
Reason 5: Legal Claims and Lawsuits
Individuals or organizations affected by a security incident may initiate legal action against the responsible party. This can result in expensive lawsuits, settlements, and compensation payments for damages suffered, including financial losses, identity theft recovery, or other related costs.
Reason 6: Reputational Damage
Security incidents can severely damage an organization's reputation, resulting in the loss of customer trust and potential business opportunities. Negative publicity, customer churn, and the need for extensive reputation management efforts can have long-lasting financial implications.
Reason 7: Increased Security Investments
Following a security incident, organizations often need to invest additional resources in strengthening their security infrastructure, implementing advanced threat detection systems, enhancing employee training, and improving incident response capabilities.C
Creating a Cybersecurity Incident Response Plan
Fortunately, organizations are not left without resources if they want to identify ways to mitigate the potential impacts of data breaches and other types of cybersecurity incidents. Founded in 2018 to understand and mitigate the risks to critical infrastructure posed by cyberthreats, and to facilitate coordination between federal agencies, the Cybersecurity Infrastructure Security Agency (CISA) partners with agencies like the National Institute of Standards and Technology (NIST) to provide operational guidance and procedures to organizations throughout the US government and economy at large. CISA collaborates with international partners to enhance and promote cross-border and global critical infrastructure security and resilience through information sharing so we can all benefit from the exchange of best practices, expertise, and lessons learned.
Published by CISA in November 2021, the Cybersecurity Incident and Vulnerability Response Playbooks provide a framework to understand and implement response plans to minimize the risk of cyberattacks. While intended originally for organizations in the United States, its framework offers best practices that can be applied across the globe. It breaks cybersecurity incident response down into six key components as follows:
Preparation: Given the realities of today’s threat landscape, all organizations must take steps to prepare for cybersecurity incidents. Preparations should include understanding baselines for infrastructure, network traffic, and activity; developing response plans and training teams on them; and consistent monitoring of technology infrastructure are critical to being prepared for cybersecurity incidents.
Detection and Analysis: Once an organization detects an incident, they must activate the response plan and move into action. Elements after the detection of anomalous activity include comparing it against baseline to determine what is happening, reporting it to appropriate internal and external parties, collecting and preserving data, and conducting analysis to determine what the cause is.
Containment: The containment phase is tightly integrated with detection and analysis. Understanding the attacker’s tactics, techniques, and procedures (TTPs) drives the strategy the organization will use to stop the spread of damage and reduce the impact of the incident by removing the attacker’s access to systems.
Eradication and Recovery: Eradication and recovery removes the malicious code that caused the incident to happen and reverts the organization’s systems to a “new normal” where all operations are restored and the vulnerabilities that were exploited have been remedied, preventing future breaches of the same sort.
Post-Incident Activities: Once eradication is complete and all systems are secure, it’s critical to document the incident and lessons learned to avoid similar incidents in the future. This should include debriefing internal teams and external organizations, as well as deploying and testing new security systems and identifying any gaps in response plans and updating them.
Coordination: Coordination is not so much a separate phase as a requirement throughout the cybersecurity incident response process. Organizations should coordinate not only internally across legal, IT, cybersecurity, DFIR and other relevant teams, but also externally with appropriate regulatory agencies and law enforcement, as needed.
To learn more about developing an incident response playbook based on CISA guidance, download the Exterro FTK® action plan, Implementing the CISA Cybersecurity Response Playbook.