Incident Response: A Step-By-Step Guide to Dealing with a Security Breach
If your firm hasn’t fallen prey to a security breach, you’re probably one of the lucky ones. But you also probably won't be safe for long, as most firms, at some point in time, will encounter a cybersecurity incident. Cyber incidents today come in many forms, but whether a system compromise at the hands of an attacker or an access control breach resulting from a phishing scam, firms must have documented incident response policies in place to handle the aftermath.
With the threat of security incidents at all all-time high, we want to ensure our clients and partners have plans and policies in place to cope with any threats that may arise. While this list is in no way comprehensive in detailing the steps necessary to combat cyber-attacks (and many steps will vary based on the unique type), here's a quick step-by-step guide to follow in the event your firm is impacted by a cybersecurity breach.
1. Establish an Incident Response Team.
Choose a select group of individuals to comprise your Incident Response Team (IRT). Assign each member a predefined role and set of responsibilities, which may in some cases, take precedence over normal duties. The IRT can be comprised of a variety of departments including Information Technology, Compliance and Human Resources.
Notably, your Incident Response Team should include your Chief Information Security Officer (CISO), who will ultimately guide the firm's security policy direction.
2. Identify the type and extent of incident.
Before your Incident Response Team can alleviate any incidents, it must clearly assess the damage to determine the appropriate response. For example, if the incident is a computer virus that can be quickly and efficiently detected and removed (and no internal or external parties will be affected), the proper response may be to document the incident and keep it on file. This task could effectively be handled by the internal IT department or outsourced cloud provider.
If however, an incident occurs that affects multiple clients/investors/etc., the incident should be escalated to the IRT.
3. Escalate incidents as necessary.
Certain departments may be notified of select incidents, including the IT team and/or the client service team. These parties should use their discretion in escalating incidents to the IRT. Any event suspected as a result of sabotage or a targeted attack should be immediately escalated. This may include: phishing scams used to lure employees to enter credentials or wire money to fraudulent accounts, ransomware or cyber espionage campaigns designed to hold company information or assets hostage, or disruptions in firm networks that may present as suspicious vulnerabilities or unexpected downtime.
4. Notify affected parties and outside organizations.
One member of the IRT should be responsible for managing communication to affected parties (e.g. investors, third party vendors, etc.). Depending on the severity of the incident, the IRT member will act as the liaison between the organization and law enforcement.
5. Gather evidence.
When appropriate and necessary, the IRT is responsible for identifying and gathering both physical and electronic evidence as part of the investigation.
6. Mitigate risk and exposure.
A technical member of the IRT should be responsible for monitoring the situation and ensuring any effects or damage created as a result of the incident are appropriately repaired and measures are taken to minimize future occurrences. The IRT will also need to define any necessary penalties as a result of the incident. For example, an inappropriate wire transfer made as a result of a fraudulent phishing email could result in the termination of the employee responsible.