How to Effectively Respond to a Hack When It Happens

Will Ash is senior director of security for U.S. Public Sector at Cisco.

Sean Mason is director of incident response at Cisco.

Federal agencies and private-sector organizations alike have come to realize that data breaches and cybersecurity attacks are inevitable.

The statistics on public-sector data breaches are chilling:

• Public-sector entities are the third-most targeted for hacks, after financial and health care organizations.
• More than 40 percent of public-sector data breaches are espionage-related.
• More than half of known public-sector hacks take more than one year to discover.

The key to mitigating the effects of a cybersecurity hack lies in proactive preparation. Agencies should also adopt a proactive versus reactive mindset. Nearly half of public-sector organizations (46 percent) admit breaches drive improvements in security defense policies, procedures and technologies. Rather than wait until a breach occurs to invest in cybersecurity protocols and technology, government agencies should prepare for a hack by developing an incident response plan.

Effective incident response plans help minimize the risks of a hack and enable an agency to respond quickly to minimize the damage. Here are five steps to make one:

1. Appoint a leader. Identify an incident response leader who has good knowledge of your agency’s work and who is an effective and responsible problem solver.

2. Assemble a team. Gather and empower a team of individuals with clearly defined roles and responsibilities before, during and after a hack.

3. Establish your incident response process. Effective plans must be clear, fit within your agency’s culture and have employee buy-in.

4. Connect talent and tools. Once your incident response team is assembled, inventory their relevant skills, map the gaps and determine what additional tools and/or resources may be needed. Your agency may find it is more efficient and cheaper to outsource some services to better access key cyber talent. For example, in 2016 51 percent of security professionals outsourced advice and consulting, while 45 percent outsourced incident response.

5. Measure and revise. One of the biggest takeaways from developing an incident response plan is to help staff understand that cybersecurity is an ongoing process. The protocols developed today may prove ineffective tomorrow. It’s important to not just measure success/failure based on breaches, but also evaluate how flexible and agile your team is in adapting to new threats.

Other Aspects to Consider

Prevention: To minimize the impact of security breaches, employees must report security failures and problems. Thus, they should be incentivized to do so without fear of any negative repercussions. Transparency and reporting are key to effective communication. In addition, security processes and procedures must be clear and well understood.

Detection: The best detection methods for minimizing the impact of breaches are those that allow organizations to spot security weaknesses before they become full-blown incidents. To accomplish this, it’s vital to have a clear system for categorizing incident-related information.

Recognition: While automated systems are vital to early detection of breaches, effective human intelligence is key to appropriately interpreting and acting on that data. Thus, workers must continuously be trained in the different approaches that adversaries use to compromise and attack users and systems—such as reconnaissance, weaponization, delivery and installation.

Mitigation: Well-documented processes and procedures for incident response and tracking are key to effective breach mitigation. Agencies also need strong protocols to manage their response to crises.

Every response plan should be reviewed with an eye toward understanding significant capability gaps and developing a plan to address those gaps. Not to say that agencies should let the perfect be the enemy of the good—a minimum viable process for addressing a cybersecurity breach is better than none—and it can then be revised and improved over time.

With a robust incident response plan in place, agency personnel can be prepared for a hack and know what steps to take when it inevitably occurs. Further, strong post-incident review protocols ensure that each security incident, regardless of severity, also functions as a learning opportunity to reassess and reinforce the plan.

Used properly, incident response plans can ensure that when breaches occur, the people, technology and protocols are already in place to mitigate the damage and ultimately saving agency resources and taxpayer dollars.