Industry Voice: Four steps to SMB Incident Response Planning
In the past, cybercriminals would focus on ‘harpooning a whale', taking on big businesses in the hopes of bigger profits. But the cybercrooks of today discriminate a lot less, with nearly half of all attacks targeting small and midsize businesses (SMBs).
The shift in targets is likely due to ease. While SMBs hold much the same data as their larger counterparts, limited budgets and in-house expertise means security isn't as robust. Unfortunately, attacks have no less impact and can be particularly damaging for small businesses – in fact, the average cost of a breach reached $3.31 million this year.
With the cost of a breach soaring, it's never been more important for SMBs to be prepared. And it's up to managed service providers (MSPs) to prepare their customers with proactive and actionable incident response planning.
Building an Incident Response Plan
Incident response planning, and cybersecurity in general, is so often deprioritized because of limited resource and time. However, the evolving threat landscape, means that incident response planning is a must for protecting customers businesses.
To build an IRP that is geared to your SMB customers' business and needs, and will help them minimize the impact of a cyber-attack, it's important to follow these four steps:
1. Assess
The first step in any process is to assess the situation. Its important to know where you are starting from, so that you know how to move forward. If you haven't already, its time to open up a dialogue with your customers about their IRP to understand if they have a plan in place, when it was created and whether it's been reviewed – either by your organization or another third party. Asking these questions will help you understand what next steps you need to take, whether that's refining or testing their current plan, or building a new one from scratch.
2. Plan
If your customer doesn't have a robust or recent IRP, you can find the ingredients of a basic response plan on the NCSC website to help you work with them to build this out. For instance, the NCSC suggests building a list of key contacts to include in the IRP and escalation criteria, along with a process for critical decisions to ensure individuals are clear on responsibilities before, during and after a security incident.
As you formulate the plan, you should check that it meets the following criteria:
• Clear roles and responsibilities for employees
• Clear, simple and actionable plan that reflects the organizations risks and resources
• Its accessible to everyone in the organization
During the process its important to include all key contacts in its development, to check for any inconsistencies or gaps that might impede it being carried out in the event of an attack.
3. Test
The next step is to test the plan. You don't want the first time you try and implement the plan with your SMBs to be during a high-pressure situation such as a ransomware attack. Host a tabletop exercise (TTX) for your SMB customers which simulates incidents that they might face in the real world. This will test their ability to respond in an attack situation. TTXs can be easily scaled up or down to meet an SMBs needs, meaning they are a low-cost, low-risk environment to put your customers' IRP to the test.
The NCSC has a free Exercise in a Box tool which helps organizations test and practice their response, but you can also create a bespoke exercise for your customer. In your role as the facilitator, make sure the participants have the IRP to hand, are vocal with each other and be sure to flag any gaps in the plan. Once you've completed the exercise, take time to reflect with customers so that you can refine their plan in line with their needs.
4. Secure
While the testing phase helps to spot gaps in the IRP, it may also reveal cracks in their defenses that neither you, nor your customer has the resource to address. For instance, ransomware attacks are now more likely to occur on Friday or Saturday, when security teams are offline. That's why many businesses are turning to third-party cybersecurity providers to augment the services they offer.
For instance, managed detection and response (MDR) gives MSPs and their customers access to a dedicated team of experts 24/7 that can minimize their likelihood of an attack. And when it comes to IRP, some cybersecurity vendors offer incident response retainers, so that specialists can quickly neutralize, investigate and remediate threats. For MSPs, you can work with your customers to understand their specific security challenges and help steer them towards the right third-party investments.
Proactivity is key
SMBs and their larger counterparts have much the same underlying technologies and infrastructure, meaning the attack surface is more common. But the key differentiator is that SMBs have to tackle the same advanced threats without a comparable level of resource or expertise, making it harder than ever to prevent an attack.
With a robust incident response plan designed for their business, you put them in the best position to take action during an attack and minimize the damage.
This Article is sponsored by Sophos