How to prevent, detect, respond to cybersecurity incidents

Aug. 5, 2020

This paid piece is sponsored by Eide Bailly LLP.

When the first skyscrapers were built, they had from 10 to 20 floors. Today, skyscrapers have over 100 floors and are thousands of feet tall. Though many engineering and technological advances have contributed to this progress, modern reinforced concrete frameworks are most critical to the strength and stability of these superstructures, fortifying them against strong winds and earthquakes.

Similarly, the information technology systems and networks that support our society’s infrastructure require solid frameworks to ensure their security and stability. This infrastructure, from government services to utilities to privately held companies, relies increasingly on such systems and networks. If not secured, these systems could be targeted by hackers and suffer devastating consequences.

To secure and protect your assets, electronic or otherwise, you must address three general areas of cybersecurity: prevention, detection and response. Yet in spite of the fact that data breaches are an increasing threat to the viability of businesses, most do not have a cybersecurity plan in place and are not prepared to handle the costs and consequences associated with a data breach.

Prevention of cybersecurity incidents

  • The goal of cybersecurity is to prevent an incident or a breach. Prevention is the most cost-effective tactic and warrants a detailed plan of action.
  • Establish and understand the budget you’ll need to maintain a cybersecurity program. In most cases, you can implement successful security measures without breaking the bank if you’re effective in communicating your goals within your organization.
  • Build a culture of cybersecurity awareness at your organization. Employees should not only follow best practices but understand specific cyber risks within the network. This should include established policies and procedures, as well as training.
  • Assess your current risks or have a third party do so. Apply what you learn from this assessment to prioritize tasks and secure your systems, networks and applications strategically.

Why perform a cybersecurity risk assessment?

The key to prevention is understanding your risks and matching the appropriate prevention tactics to each. Otherwise, you won’t know what you’re protecting and why, and your strategy may not meet the need. You must:

  • Define the type of information you have.
  • Assess how information moves through your organization.
  • Learn why that information would be valuable to a hacker.

The results of this assessment will be different for each organization as will the solutions.

An assessment is particularly important if there are defined requirements or regulations for the information you’re protecting. If you don’t have the right safeguards in place, you could face higher fines and penalties in the event of a breach.

Detection of cybersecurity incidents

Preventing all attempted security breaches is impossible. To defend against attacks, you must implement a strategy to monitor your network and detect those attempts as early as possible. Most incidents begin with events that appear on system and network logs. If you can identify events from technical sources and reports that pose threats to your security and operations, you can then determine what, if anything, needs to be done to prevent a full security breach.

Monitoring and assessing the network, logs and reports should be a regular and ongoing task. And you must implement a technical strategy for detection that includes everyone in your organization. Establish regular training for cybersecurity awareness, deploy malicious code detection to your entire network, harden your network environment against vulnerabilities and use firewalls to block unauthorized activity on your network.

Response to cybersecurity incidents

Developing an incident response plan can be compared to running a strategy game. You want to position the right people in the right places for the best outcomes should an issue arise. Such planning is not just for expansive and complex companies.

Cyber incidents happen to companies of all sizes and incident response is relevant to every business. The same technology that continues to revolutionize industries can easily cripple any organization. In fact, there’s a chance your company has had a data breach within the past year.

To navigate an incident safely and successfully, you must establish an incident response plan for key personnel to follow in the event of a breach or attack. For this plan, you should:

  • Define what qualifies as an incident. This will be different for every company.
  • Establish clear policies for cybersecurity and incident response.
  • Determine key personnel to be alerted when an incident is identified, your incident response team.
  • Log and monitor everything for reference if an incident occurs.
  • Create protocols for reporting, notifying and communicating incidents within your organization and with any other relevant parties.
  • Have a forensics element. The inclusion of this element in handling incidents will ensure you’ve documented a defensible process to defend your actions for legal obligations as well as keeping your business operating securely.

What are the key roles on an incident response team?

Each person on your incident response team will have a role to play in keeping everything organized and under control during a data breach. In terms of strategy, each member should have a specific responsibility in getting the company through the response. There are four primary roles to assign, though larger incidents could require more complex combinations of skills. These individuals make up the backbone for any incident response plan:

The veterans: When it comes to incident response, IT professionals are the champions of their company’s security. When an end-user finds a potential cybersecurity threat, the IT professional confirms the threat based on the incident response plan. Then, they work to mitigate the incident. They must also practice restraint as mishandling information during an incident could leave the company responsible and liable for spoliation of data.

The investigators: After several cybersecurity incidents, you’ll want assistance from a third-party forensic team, who can provide extensive expertise, tools and resources you may not have available within your company. You also may need a third-party forensic team to conduct an impartial review or report for insurance reasons.

The internal lead: It is important to have a person in charge of controlling the dissemination of information throughout the company. This role is typically filled by either the chief security officer or head of public relations. This person will maintain and report information and results to the company as needed. Other team members will defer to the internal lead for guidance and authority. Ideally, this person should have some technological experience or insight into the company’s technical makeup. And the lead should rank high enough to deter suspicion over delegating orders or taking possession of devices.

The legal representative: The company attorney or legal representative will manage public and private perception of the company and ensure that there are no legal repercussions when the incident is resolved. This person organizes a plan based on the information to best help the company and gives insight into legal nuances of incident response, such as when to reveal your cards and when to call an investigation to a close. This role is especially critical if your company is dealing with protected information beholden to regulatory bodies.

As you can see, each member of the team has a specific and vital responsibility. Going through any incident without a complete team could end up costing more money and bringing confusion and unnecessary stress to an already precarious security situation.

Potential consequences of being unprepared

Investigation expenses and litigation: Every business maintains proprietary data in the form of customer lists, trade secrets and personally identifiableiInformation, or PII, which is protected by law. In the event of a data breach, you’ll have to factor in the initial expense incurred by investigating the breach, as well as costs associated with potential litigation. If you understand your cyber risk ahead of time, however, you can be prepared to make efficient and effective decisions should malicious activity occur.

While it’s important to keep up with new regulations around handling personal and confidential information, the regulations aren’t designed to protect your business and operations. Ultimately, it’s an organizationwide issue and the responsibility falls to owners, executives and board members. By taking a holistic approach to cybersecurity management, you can reduce weakness in your cybersecurity defenses.

Here are a few tips for developing a defensible process:

  • Use a third party for incident response capability assessments, as well as regulatory compliance.
  • Use internal IT staff for business continuity and recovery during an incident.
  • Use a third party to manage the incident response and conduct the investigation. It is important that this third party is trained and qualified in forensic investigation to handle incident response in a way to prepare for any potential future litigation that may surface.
  • Ensure you are regularly conducting response activities on events that are a potential threat to your organization. Do not wait to declare something an incident based on compliance standards alone.

Infrastructure vulnerability and chaos: Beyond data security, a breach at your company could have disastrous consequences if hackers take control of key operations – especially physical infrastructure operations. In March 2016, foreign nationals were charged with hacking attacks on a dam in Westchester County, N.Y. They were able to perpetrate the attacks by installing malware on computers around the world and then using those tools remotely to launch cyberattacks. They never took control of the dam or caused disruptions. They instead examined its operating system to determine its defenses against cyberattacks. A follow-up investigation determined that, in theory, the hackers could have caused flooding and created chaos by hacking into the dam’s control system.

Industry-specific consequences

Though many cybersecurity risks are common among industries, certain sectors will face varying consequences because of the nature of their data or condition of their systems. For instance:

Higher education: There are strict regulations for handling and protecting personal information retained through the financial aid system. The responsibility falls to several parties, including institutions and third-party services. Compliance is audited, and if a risk is identified, consequences range from disabled access to information systems to fines and other actions deemed appropriate by the Department of Education.

Automotive sales: Auto dealerships collect a significant amount of consumer information and are prime targets for hackers. Common cyber incidents for this industry include breaching Wi-Fi networks, phishing scams, fraud and installing malware via email. One of the biggest consequences of such activity is reputation damage. Nearly 84 percent of consumers would not buy another car from a dealership that had a security breach.

Manufacturing: A recent study found that nearly 40 percent of manufacturers don’t have a cybersecurity plan, and it’s also true that many manufacturers operate using outdated technology. These conditions increase their vulnerability to cyberattacks. Plus, manufacturing is an industry that has to protect a special type of data: intellectual property. Trade secrets and build lists set companies apart and drive brands and could be stolen or held for ransom.

The importance of implementing a cybersecurity plan

Cyberthreats and cyberattacks have increased dramatically over the past decade. These attacks have exposed sensitive personal and business information, disrupted the critical operations of organizations and imposed high costs on the economy and businesses. It is imperative you stay informed about the continuously changing forms of cyberthreats and develop appropriate, cost-effective controls to safeguard your business from data breaches.

Responding to a cybersecurity incident as quickly as possible is critical. Eide Bailly LLP can help. Click here to learn more. 

Want to stay in the know?

Get our free business news delivered to your inbox.



How to prevent, detect, respond to cybersecurity incidents

Your business must address three general areas of cybersecurity: prevention, detection and response. This guide will help you assess how you’re doing.

News Tip

Have a business news item to share with us?

Scroll to top