What to Do First in A Cyber Incident

It’s inevitable – at some point, your organization will have to deal with a cybersecurity incident. It’s not a matter of if, it’s a matter of when. As of 2022, the global average cost per data breach amounted to $4.35 million, an increase from $4.24 million in 2021.

What determines how extensive the damage of a cyber attack is, can highly depend on how your organization responds to it.

Here are the top 3 things you should do in the event of a cybersecurity incident:

Refer to your Incident Response Plan (IRP)

The first step your organization should take in any cybersecurity event is to review your Incident Response Plan (IRP), which should be accurate and up to date. IRPs should help your cyber team detect, respond to, and recover from a security incident. An IRP includes specific response actions based on the type of security incident (such as ransomware to account compromise) and provides a playbook for how to respond and who to notify.

If you have a solid IRP in place, the next actions your organization should follow what’s outlined in the IRP.

If you do not have an IRP or your IRP is out of date, read on to learn more about ideal first steps.

Prepare To Respond

Aligned with NIST’s Incident Handling Guide, if you don’t have an IRP in place, the next step is preparation. Preparation steps include:

• Identify communication and coordination mechanisms and involved parties
• Determine and access hardware, software, and resources needed for incident analysis and mitigation
• Ensure you have visibility into the necessary systems

With these steps in place, your organization can more easily proceed to our next step.

Detect and Analyze

With preparation in place, your organization should begin the process of analyzing the impact of the incident and detecting the damage caused. Time is of the essence, once the plan is in place, moving quickly gives your organization the best chance to mitigate a disaster as the quicker your organization Steps include:

• Perform initial analysis and validation for the incident and its indicators to determine incident’s scope. This includes – what systems are affected, who or what originated the incident, and how the incident is occurring. For this to be an in-depth analysis, your organization needs tools in place that provide the monitoring, data collection and visibility to determine what has happened in your environment and what data the intruder may have had access to
• Document every step taken from the time the incident was detected to its final resolution
• Prioritize the handling of the incident by relevant factors such as functional and information impact

After the above steps have been taken, your organization should now go down the path of containment, eradication, and recovery to ensure the impact to your organization is as minimal as possible.

With cybersecurity, it’s not a matter of if you get attacked. It’s a matter of when. To effectively protect your organization, you need a cybersecurity program in place that provides real-time detection, validation, reporting, and response capabilities to protect your IT environment from end to end.

Resolving and remediating after a cybersecurity incident can be a large undertaking. By working with an MSSP, you can reduce the burden and focus on what your organization does best. Dataprise is a leading strategic IT solution provider specializing in managed security. Download our CIO-reviewed ransomware checklist, which includes a bonus Incident Response Tabletop Exercise that you can use to have a discussion within your IT department to determine your organizational preparedness for a cyber incident.