Cyber Security Cornerstone: The Incident Response Plan
June 15, 2021
In recent years, cyber breaches have become more and more sophisticated. Targets have widened to include more than just government entities. And while cyber knowledge is certainly more common for businesses today, incident response plans and actions to prevent cyber breaches are struggling to keep pace with criminal actors.
We sat down with Kevin Kirst, a leading cyber security and incident response expert at EY, to get his take on preventing cyber breaches, advice on preparing or updating incident response plans, and his predictions for the future of cyber security and cyber insurance.
In the last ten years, Kevin has witnessed incredible shifts in cyber security breaches through the lens of his diverse background. “Prior to 2011, cyber criminals were mostly targeting nation states. And while private corporations lacked cyber knowledge, military and government were both the main focus and housed the majority of the knowledge of cyber security,” said Kevin. From 2012 to 2016, Kevin notes the industry verticals that were attacked broadened to include financial institutions and pharmaceuticals. “We saw a lot of banking trojan investigations, IP theft, social justice causes, and attacks that would lay dormant until the criminal actors were ready to deploy.” Starting in 2017, we saw an increase in more targeted ransomware attacks with criminal actors and ransomware-as-a-service groups realizing they could make serious money off of their efforts.
“The trends seem to have followed a larger to smaller business size model and now they’re moving back up the chain. Rotating industries and adding in Big Game Hunting—that seems to be the choice for today,” said Kevin. And of course, even more recently we’ve seen not just the encryption of data, but also the extortion of that information.
Incident response plan basics
If you don’t have one, now is the time to start implementing and approving an incident response plan. When a cyber breach occurs—it’s too late. Kevin shared that he sees many IR plans that are too technical and many that are too high level. “It needs to be a mix of both,” said Kevin.
His advice? The most basic steps after a breach has occurred are:
- Activate your IR plan, notify your cyber insurer and IR retainer.
- Follow your plan, identify the threat, contain the threat, eradicate the threat, then focus on recovery.
- Post recovery, implement recommendations from your IR provider which could include updates to your access management, firewall, patching and password policies, etc.
Recovering from a cyber breach is a massive undertaking and as Kevin put it, “support from outside, a third-party trained in cyber security and cyber threat response, can help clarify everything, including your first and next steps.” A good incident response plan will unite your whole organization, and any outside parties, on where to start and guide them through the process, keeping things moving one step at a time.
For businesses ready to put together their first IR plan (and those that need to reassess their current IR plans), Kevin suggests:
- Get third-party support—you need to know your threat landscape, including what attacks are more likely for your company and industry
- Identify possible scenarios and what steps your team would need to take based on IT, legal, communication, customers, etc.
- Test your plan from beginning to end—make sure your board is prepped, executives are informed, cyber teams are ready, and then practice, learn, improve, and repeat
When considering threat defense specifically, it’s important to:
- Know your high value assets
- Know your privileged accounts (less is more)
- Implement advanced/next gen endpoint detection and response (EDR)
- Implement advanced/next gen network detection and monitoring
- Integrate threat intelligence
- Implement threat and vulnerability management (i.e. patching)
- Get outside help, IR retainer, security assessments, threat hunting, tabletop exercises, IR plan reviews, etc.
- Invest in cyber (people, process, technology)
For ransomware attacks, the question often arises—should we pay the ransom or not? According to Kevin, “this is a business decision not an insurance decision. The executives need to make that call based on the initial assessment from their teams and IR provider. How did this happen? What was impacted? Do we have back ups? Can we restore back ups? What is our recovery timeline? What is the customer impact?”
The most important thing you can do? Have a plan in place, well before an incident. The process of identifying the key partners you will turn to, the threats you face, and how to best remediate issues will increase your security. When are you done? The answer is never. As both your organization and the threat landscape changes, your incident response plan should evolve.
The future of cyber breaches
In the next five to ten years, Kevin expects ransomware to continue to grow. “Until the U.S. government can deter ransomware attacks, or private companies can prevent it more effectively [by investing in security capabilities via people, processes, and technology], we’ll see ransomware sticking around for at least the next decade.”
What is the interconnected role of cyber security partners and cyber insurers? Kevin asks “How can we incentivize our clients to be more proactive? Is it assessments, advanced tech implementation? Should we provide additional solutions? The conversation is so much bigger than how we react. We need to get to the center of how we prevent attacks in the first place.”
He anticipates a continued evolution of tactics incentivizing the victim to pay the ransom demands. “As long as criminal actors can make money, they’ll keep attacking,” said Kevin. “And once the U.S. extortion tap runs dry, I suspect we will see a ramp up in targets in Europe, Asia, and Middle East based companies.”
Just as we saw a pivot from attacks on universities and then to elementary schools, banks to insurance, and more, we’ll see a global shift, said Kevin. “Criminal actors will move on to targets with less cyber knowledge. It will be even more critical to find the right partner for cyber security and cyber insurance coverage.”
What to look for in cyber insurance and a cyber security partner
“If you’re ready for a cyber security partner, it’s critical that you look for experience. They need to have real cyber experience and not have added cyber to their LinkedIn profile in the last year. Your cyber security partner should be your partner and your ally, not just your provider or vendor” said Kevin.
“From an insurance perspective, your cyber insurance partner should play a bigger role. You should expect them to support proactive assessments—like a ransomware assessment—and cover more remediation activities that are aimed to secure their customers after a breach.”
The overall advice from Kevin? “You should expect your cyber insurance partner to say—how can we help improve your cyber security posture together.”
To continue reading our interview series, check out our interview with Frank Brown, CFO of RiskSense, where we talk about the future of cyber security and why CFOs are poised to be the solution.