February 28, 2022
Cyber security trends in 2022 - Incident response planning
It can be difficult to cut through the noise and identify exactly which new vulnerabilities or trends should be prioritised. With a limited budget, how can you make sure your business is prepared, secure and competitive? In this series, we have identified our top five trends to prioritise this year to put your business in the best position to succeed. In our first blog, we consider incident response strategies. Whilst many businesses had to focus on simply maintaining operations over the last two years, now is the time for renewed focus on incident response preparations for enhanced corporate resiliency.

Throughout 2021, cyber security breaches posed an increasingly significant threat, with the number of businesses detecting and reporting incidents growing, and phishing attacks remaining the most common threat vector to industries around the UK. As we move into 2022, the question we at Secure Impact ask is, what will this year look like in terms of cyber incidents? Moreover, can you safely say your company is ready for the worst-case scenario, and does your team have the capabilities to detect and respond to cyber incidents swiftly and effectively?

The UK Government Cyber Security Breaches Survey 2021 reported that four in ten businesses (39%) and a quarter of charities (26%) reported having a cyber security breach or attack in the last 12 months, with medium (65%) and large (64%) businesses more highly targeted. However, whilst most businesses (62%) and charities (69%) took the necessary action to avoid further cyber incidents, almost one third took no action post-incident, such as changing security practices within the organisation to prevent an incident happening again.  

Percentage of businesses that have taken action after their latest disruptive incident - UK Government Cyber Security Breaches Survey 2021

In 2022, businesses, executive leaders, and IT teams must recognise that effective incident response plans enhance corporate resiliency. As a response to the COVID-19 pandemic, organisations focused on short-term business and IT service continuity, eclipsing debates on cyber security in order to maintain business operations. Cyber security professionals now need to reframe these debates, demonstrating that incident response is an essential component of corporate sustainability.

Prevention is Better Than Cure  

The expression “prevention is better than cure” is often credited to the Dutch philosopher Desiderius Erasmus. The saying is used in cyber security in relation to the security stance of an organisation - focusing on preventing a potential cyber incident is far more valuable to a business than simply responding to incidents when they occur. Having a proactive incident response strategy in place is central to this.

A proactive company will aim to be prepared for most eventualities, including breaches, ransomware, malware, and phishing attacks. The preparation stage of the incident response lifecycle is key and should not be ignored. This will arm a business with the tools to know exactly what steps to take, which is often referred to as an incident response playbook. They will have meticulously conducted practice exercises, which will enable their organisation to recover faster and more effectively in a crisis. A proactive approach will also enable an organisation to produce clear and decisive communications if an incident occurs, creating confidence and responding clearly to internal staff and client concerns.  

Whether your organisation has its own internal Cyber Incident Response Team (CIRT) or utilise a third- party CIRT, it is vital that the preparation phase is understood by everyone, from HR staff and IT members to key stakeholders. Playbooks, a term also used in American Football, are simply a route to tackle a certain scenario utilising pre-determined steps for the response team, and there can be multiple playbooks to cover certain events such as ‘Phishing Attack’, ‘Data Breach’ or ‘Ransomware Attack’. ‘Running’ a playbook, and practicing the response strategy, is one stage in preparing an organisation for a real attack. Practice makes perfect!

Playbooks are just one element of an Incident Response Plan, or IRP. The IRP is a dynamic document, tailored to each company, that outlines who should be contacted in the first instance - internal teams, external bodies, legal counsel and other key stakeholders. Playbooks can sometimes be an Annex to this document. As with playbooks, the IRP should be tested regularly and thoroughly, and members from all departments should be familiar with it.  

Security Awareness Training  

Repeatedly, during the final ‘lessons learned’ phase of the incident response lifecycle, we hear clients say, “If we had had training on that, then this might not have happened.” Excellent security awareness training is the foundation of committed and engaged personnel.  Employees may make major errors if they are not properly trained, especially in the area of cyber security. Businesses can use security training to change behaviour, manage risk, and ensure compliance.  

Evidence shows that over the last 12 months alone, medium to large businesses suffer on average over £13,400 in losses per incident. To preserve those earnings and secure your company’s assets, it is important to invest in training from the start. Security training should be reviewed every six months as new and emerging threats appear in the digital landscape.  

You should not assume that your staff will follow security practices simply because they have read the guidelines and company policies. Employees will be more likely to adopt a better security stance if they receive appropriate and engaging training. Training will help employees to recognise the risks they might face every day, and the vital role that they play in reducing the risk of an incident. Regular training leads to increased adoption, improving security throughout your business.

Lack of formal security training can also lead to inconsistency in the security principles and standards used throughout your business, with different branches or locations utilising different security practices. The security stance for all employees should be consistent, and training provides this, creating clear guidelines for the whole business. It is vital to have all stakeholders on the same page to reduce risk.

Preparedness Cycle  

Incident response strategies are structured around a preparedness cycle framework. Preparedness is defined as "a continuous cycle of planning, organising, training, equipping, exercising, assessing, and taking corrective action in an effort to guarantee successful coordination during event response" by the National Incident Management System (NIMS). This cycle is one component of a larger system for preventing, responding to, recovering from, and mitigating major incidents.

The Preparedness Cycle

The cycle has five key stages; Plan, Organise/ Equip, Train, Exercise, and Evaluate/ Improve. Each stage has a different role in the overall preparation for an incident, as detailed below.  

  1. Plan - At this stage, the organisation establishes their incident response plans, procedures and playbooks, to determine their response strategy and their immediate actions in the event of a cyber incident.
  2. Organise/ Equip - Successful incident response necessitates a combination of people, resources, training, and skills.  
  3. Train - As already discussed, a successful training package for all staff in the business will encourage a higher level of cyber hygiene.
  4. Exercise - Practice instils confidence in anticipation of an incident, creating the knowledge that most of the essential decisions that will be taken have been rehearsed.  
  5. Evaluate/ Improve - It is critical that activity outcomes are assessed against objectives, and that lessons learned are recorded to allow for continued improvements, refinement, and to guide future exercise and readiness needs.

Other Preventative Measures  

Preparation is key to success, and to overcoming the challenges that arise from incidents. In addition to the strategies already outlined, there are also multiple methods that an organisation can adopt to prevent incidents occurring. The simple list below is by no means complete, however, it has several vital steps that can be introduced easily.  

Password Policy  

An organisation should have a strict password policy, and passwords should be of at least 15 characters, using upper and lowercase letters, numerals, and special characters. Password managers such as 1password are also a great tool to use, with browser extensions that can be used to secure all of your company passwords. 

MFA

Multi-Factor Authentication (MFA) applications help to secure a device during the login process. Utilising third party applications, such as Google Authenticator, provides an extra step in which a user will receive a code on a device that only they have access to, and it can add an extra layer of security.  

Patch, Patch, Patch

Security weaknesses, often known as software vulnerabilities, are popular among attackers. A software vulnerability is a security flaw, or flaw discovered in a software application or operating system. Attackers can access the flaw by developing programs that target the vulnerability. Software patches are frequently included in software upgrades to keep attackers out by plugging the security gaps, so it is crucial to keep your system up to date and apply regular updates.

Final thoughts

Nobody knows or can predict when the next major incident or data breach is going to occur. What you can do is prepare your business in the best way possible, by having a clear incident response strategy and instilling a security culture through purposeful training for all employees. Tried and tested methods include the following.

  • Ensuring all the necessary documents are in place, including playbooks and an IRP. Not only in place, but read, tested, and understood by all individuals. The old saying 'Prior Planning Prevents Poor Performance' is echoed in this. By understanding the documents, running through an incident playbook will help your business in the long run when it comes to an actual incident.  
  • Employing basic security features within your business, such as utilising highly functional applications like Google Authenticator on devices to enable MFA. The fundamental advantage of MFA is that it increases the security of your company by forcing users to identify themselves with more than just a login and password. While usernames and passwords are vital, they are subject to brute force attacks and can be obtained by third parties.
  • Setting a strict password policy and utilising a password manager software. Passwords are your first line of protection against unauthorised access. The more complex your password, the more secure your computer will be against attackers.
  • Regularly pushing the basic updates on your systems. Software upgrades may contain new or improved capabilities, as well as improved interoperability with other devices or apps. They can also improve your software's stability and eliminate obsolete functionality. These points are relevant to all organisations, no matter the size.  

If you have any questions about this blog, or would like to discuss how we can partner with your business, please contact our incident response team.

Sign up to our newsletter to receive the latest updates