Incident Response Plan crucial to dealing with cyberattack

The Incident Response Plan, should be the first port of call for any company struck by a cyberattack according to Daniel Smith, CISO at Hearing Australia.

Smith has had experience working with a separate organisation in the aftermath of a cyberattack, and worked with the business through every stage of deploying the plan.

He told Digital Nation Australia that referring to an Incident Response Plan and assembling an Incident Response Team should be the first step after detecting that an incident has occurred.

“It's human nature, if you haven't been through a lot of those sort of incidents to have a little bit of panic and people's brains sort of run off in all sort of different directions. So, certainly within my organisation and I'm sure most cyber operations have an incident response plan,” said Smith.

The Incident Response Team should include senior management including the CISO, CIO, chief privacy officer, public relations and legal personnel he said.

“The typical stages of a standard incident response look like the detection phase, how we detect it,  as much information as we can get in that detection phase about what people are seeing on the ground and what's happening, analysis of what's happening,” said Smith.

“And then straight away, we move into containment where if you were thinking about it from a medical perspective, the surgeon would want to stop the bleeding. So containing that threat.”

After the containment phase the business would then move to the eradication phase to attempt to eradicate the threat actor and the threat from the environment, followed by remediation to prevent the threat from happening again.

“Post incident review, any learnings, any procedural process changes that typically need to be undertaken that you can learn from that incident.”

While an incident response plan outlines the key steps for an organisation in the wake of a cyber emergency, Smith is emphatic about the need for fire drills.

“It can be a very emotional situation. The plan gives structure and assists you if you've never been through one before. However, this is the reason why we're so proactive and supportive of running fire drills,” said Smith.

“If you're at work and the building catches fire, if you'd never done a fire drill before people will be running in all sorts of directions, but we do fire drills in the office so that people know where the fire exits are, people know where the assembly area is.

“Similarly in the cyberspace, if you fire drill your incident response plans, if you do a little bit of role playing, if you engage the incident response team, the legal guys, the public relations and communications teams aren't doing it for the first time. Everybody knows who's who and what their responsibilities are.”

Smith encourages every organisation to follow the Australian Cybersecurity Centre’s Essential Eight, when it comes to the minimum eight things organisations should do to protect themselves from cyberattack.

“That would be the bare minimum for me as I would see it or as a good starting point. Things like Incident Response Plans and those sorts of things would be helpful. But if you don't have the essential eight implemented at least, you may be using that Incident Response Plan more than you would like.”