Incident Response: 4 Steps to Deal with a Security Breach

As of March 27, 2020 the Proofpoint Research Team had “seen over 500,000 messages, 300,000 malicious URLs, 200,000 malicious attachments with coronavirus themes across more than 170 campaigns.” This continued rise in new threats coupled with fully remote work environments makes it even more important that firms review their incident response policies and procedures. 

While this list is in no way comprehensive in detailing the steps necessary to combat cyber-attacks (as many steps will vary based on the unique type), it provides a baseline for planning and internal discussion.

1. Establish an Incident Response Team.

Choose a select group of individuals to lead your Incident Response Team (IRT). By formulating a plan, roles and responsibilities will be clearly defined and minimize the potential for fallout. Once the plan has been completed, it should be presented in writing and easily accessible during any attack. The IRT can be comprised of internal staff (e.g. IT, Human Resources, Operations, Client Service, BCP) and external members (e.g. public relations, vendors, law enforcement).

Notably, your Incident Response Team should include your Chief Information Security Officer (CISO), who will ultimately guide the firm's security policy direction.

2. Identify the type and extent of incident.

Before your Incident Response Team can alleviate any incidents, it must clearly assess the damage to determine the appropriate response. For example, if the incident is a computer virus that can be quickly and efficiently detected and removed (and no internal or external parties will be affected), the proper response may be to document the incident and keep it on file. This task could effectively be handled by the internal IT department or an outsourced cloud provider. 
 
If, however, an incident occurs that affects multiple clients/investors/etc., the incident should be escalated to the IRT.

3. Notify affected parties and outside organizations.

Certain departments may be notified of select incidents, including the IT team and/or the client service team. These parties should use their discretion in escalating incidents to the IRT. Any event suspected as a result of sabotage or a targeted attack should be immediately escalated. This may include phishing scams used to lure employees to enter credentials or wire money to fraudulent accounts, ransomware or cyber espionage campaigns designed to hold company information or assets hostage, or disruptions in firm networks that may present as suspicious vulnerabilities or unexpected.

A member of the IRT should be responsible for managing communication to affected parties (e.g. investors, third party vendors, etc.). Depending on the severity of the incident, the IRT member will act as the liaison between the organization and law enforcement. When appropriate and necessary, the IRT is responsible for identifying and gathering both physical and electronic evidence as part of the investigation. 

4. Mitigate risk and exposure.

A technical member of the IRT should be responsible for monitoring the situation and ensuring any effects or damage created as a result of the incident are appropriately repaired and measures are taken to minimize future occurrences. The IRT will also need to define any necessary penalties as a result of the incident. For example, an inappropriate wire transfer made as a result of a fraudulent phishing email could result in the termination of the employee responsible.