According to IBM’s 2020 report, the average cost of a data breach was $3.86 million. This is a big business for cyber criminals and all that money creates an incentive for hackers to continually innovate. The reality is that the good guys are often a step behind the bad guys, and over a long enough period, everyone will fall prey to an attack. Even the best defenses are not completely bulletproof. That’s why having steps laid out for when a breach does occur is critical to minimize the financial and operational impact.

Our most recent two blog posts took a close look at the first three parts of the Protect Function on the NIST Cyber Security Framework. In this third and final post of the series, we’re going to discuss the last two functions:

• Respond
• Recover

When an attack does get through all your other protective measures, the ways in which you’re prepared to Respond and Recover dictate how much damage is done and how quickly your business or organization can get back on its feet. Respond covers the immediate action plan to limit theft or data corruption and Recover includes the step-by-step guide to resuming normal operations.

Respond: What Do You Do When an Attack Is Happening?

A Cyber Security attack is often not like a bank robbery; people don’t burst through the door and announce themselves. More commonly, it’s happening silently and without the right detection tools, it’s invisible too. You might not even know it’s happening. In fact, if you haven’t developed a strong Cyber Security culture, it might be days before someone realizes that something is wrong.

The Respond function of The Core involves formalizing the actions and communications your team will take when that moment comes. Most often, this takes the form of an Incident Response or Business Continuity Plan, something we’ve detailed in past blog posts. In that plan there should be clear guidance on the what, who, and when associated with past, current, and future risks your organization may face. And while that’s the first step towards staging an effective Response, it’s important to regularly reexamine your plan to keep it up to date with new systems, personnel, and contemporary threats that may impact your business or organization.

Inform The Right Stakeholders

In the event of a Cyber security breach, there are certain people inside and outside of your organization that need to know what happened, and what will happen, over the coming hours and days. It is critical to have this communication plan in advance so that you do not waste precious hours just figuring out what to say and to whom. Making these decisions during peacetime also saves you from having to make these decisions under pressure, when you’re more likely to have your attention scattered over other aspects of the situation.

Analyze For Effective Response and Recovery

Another important element of the Respond function is analysis. You want a measured, appropriate response, not knee-jerk reactions. This analysis starts the minute an attack is detected. Systems should be in place to examine the scope of the incident the minute your detection systems sound the alarm. You should also have the capacity to do a forensic test on the nature of the attack to diagnose the best way to stop the attack, if possible, and close any newly identified security gaps for the future.

Respond Audit Questions

Macro Connect’s Cyber Security Audit is at the very core of our Cyber Security service offering. It is a complete review that follows the NIST Framework in assessing the risks your business faces. To give you an idea of how it works, we’ve included a few more examples from the actual Audit:

Question 1: Is there a standard communications plan in place to follow in the event of an incident?

When a cyber security incident occurs, you should already have a list of people who need to be informed. That starts with company leadership and goes on to include other internal employees and external stakeholders like customers, clients, and investors. Everyone is affected in some way by a breach in your network. Take time to understand and document the kind of information each group of stakeholders will need to know.

Example Question 2: Are relationships with cybersecurity-focused law enforcement agents and agencies being maintained?

Reporting a cyber security incident is not the same as a burglary. While you will probably need to inform your local police department, there are other specialized law enforcement agencies that deal exclusively with cyber security incidents. Take the time to meet your local agents so that if something does happen, they have some context for how to support your efforts.

Example Question 3: Do processes exist to receive, analyze, and respond to vulnerabilities disclosed to the organization?

A fast response isn’t always a better response. Having a well-organized, effective response is more important. Make sure you have the processes and tools in place to detect and analyze an attack so that you can respond with the right countermeasures and mitigate the attack the first time.

Recover: Getting Back to Normal Operations

Recovery from a Cyber security attack starts the minute the attack ends. This function of The Core helps guide your business, school, or organization toward a return to normal operations. The biggest part of this function is the Recovery Plan. A Recovery Plan is a step-by-step process for re-establishing control over your information systems, restoring lost or corrupted data, and improving your network and devices to guard against future attacks. While a minor incident may barely impact daily operations, a significant attack could put you out of business for days or weeks.

A good recovery plan also includes a continuation of the communication activities for internal and external parties. Depending on the size of your business, you may need to call clients, send out bulk emails, or even issue a press release. And as time goes on, you’ll want an organized plan to help repair your reputation so that clients and customers will continue to trust you.

Recover Audit Questions

The Recover function of the NIST Cyber Security framework is just as important as the Response function. Below are three more example questions from our comprehensive Cyber Security audit.

Question 1: Does a framework exist to guide the process of recovering from an incident?

In the minutes and hours after a Cyber Security attack, you want to have a pre-prepared response plan to guide your actions. Your instinct will not be to slow down and think carefully about what to do next. Take time now to develop a framework for your response that addresses a few of the most likely scenarios for your organization. That playbook will help you react more effectively so that you can recover more quickly.

Example Question 2: Does a plan exist to structure communications during the recovery from an incident?

As we’ve mentioned before, an organized communication plan is key to an effective recovery. Outline your various stakeholder groups, note the kind of data they are associated with, and the kind of information they will need to receive after an incident. This will help you to quickly identify who needs to be informed based on the scope of data compromised and what you will say to them.

Example Question 3: Are procedures in place to ensure that improvements are identified and incorporated after an incident?

In the aftermath of a Cyber Security attack, you will also need to take time to improve for the future. No one wants to learn the hard way, but if you do, make sure you identify the vulnerability and close it so that it never happens again. While this may include adjustments to certain technologies or systems, it should also include updates to the procedures and documentation that guided your efforts in all the NIST categories.

There’s Always More To Learn

That’s it for our three-part blog series about The Core of the NIST Cyber Security Framework. We hope that you’ve learned more about the ways you can protect your business against the threat of a Cyber Security attack. Hopefully, you’ve also come to appreciate the ways Macro Connect is prepared to support that effort. Our Cyber Security audit is the gold standard for keeping businesses, schools, and other organizations safe. But the learning doesn’t stop here. Our nation’s thought leaders in Cyber Security are always developing new, more advanced methods for protecting against digital criminals and we’re always paying close attention so that we can stay at the forefront of Digital Security.

Taking The First Step

Macro Connect’s team of experienced IT professionals can help keep your business or organization safe from the threat of cyber security breaches. Our comprehensive Audit and TotalSecure offerings address the most frequent Cyber Security issues at the most common entry points. If you want to conduct an Audit or learn more about TotalSecure, or just talk about why we think Cyber Security needs so much attention, give us a call. Our expert team is standing by and excited to help you better understand the world of Cyber Security. To get started, reach out and schedule a strategy appointment with one of our Client Solutions experts today!