Cyber-attacks and breaches present a significant security challenge to small and medium-sized businesses.
Cyber incident response offers a structured approach to respond to, manage and mitigate security incidents in order to limit the potential disruption of attacks. In this blog, we discuss how small and medium-sized businesses (SMBs) are being impacted by cyber threats, what cyber incident response involves and the steps you can take to protect your business.
What is cyber incident response?
A cyber security incident is an event that has the potential to lead to the compromise of the confidentiality, integrity or availability of a company’s data or systems. Types of cyber incidents include data breaches, unauthorised access, unlawful data processing, the altering of data without consent and attempts to disrupt or deny service. When any organisation is impacted by a cyber security incident, a clear perspective is required to take control of the situation and respond quickly and effectively to protect the company’s assets, operations and reputation.
Cyber security incident response is the approach that an organisation takes to effectively plan for, respond to, manage and mitigate the damage caused by cyber incidents and help to protect assets and operations. Its ultimate aim is to limit the disruption caused by attacks and restore operations as quickly as possible. Planning and resourcing an effective response plan can be a significant challenge for small and medium-sized enterprises (SMEs), but its importance cannot be overlooked.
Why does cyber incident response matter for small businesses?
Cyber incidents present a significant threat to businesses of all sizes. Whether it is the immediate financial impact of a breach, making a payout after a ransomware attack, dealing with operational disruption or having to address damage to their reputation,SMBs/SMEs have a lot to lose as a consequence of incidents. The challenge is only increasing. According to a recent report from the Department for Culture, Media, and Sport (DCMS), cyber security breaches have become more costly for medium and large businesses across the UK. The impact isn’t always short-term either. A report released in 2022 revealed that 21% of US and European businesses said that their solvency has been put at risk by a cyber-attack.
In other research, it was revealed that password-stealing malware and other cyber-attacks against small businesses have increased significantly over the past year, particularly in the UK.
According to the government’s Cyber Security Breaches Survey 2022, 39% of UK businesses stated that they identified at least one cyber-attack on their operations within the last 12 months. The report concludes that “businesses are now less capable of identifying breaches than they were two years ago” while making the point that this may have been driven by changes in attacker behaviour, rather than by internal factors alone. Among those identifying any breaches or attacks, around half of businesses (49%) state that it happens once a month or more often, with around three in ten businesses (31%) saying they experience breaches or attacks at least once a week.
Despite these trends, there is still a lack of appropriate action. The Cyber Security Breaches Survey 2023 has identified a decline in focus on cyber hygiene among small and medium-sized businesses. This covers implementing controls such as use of password policies, use of network firewalls and restricting admin rights.
The six steps of incident response
With so many potential challenges, it’s surprising that many small and medium-sized businesses still aren’t taking enough action to protect themselves. The Breaches Survey report comments that, while approaches to incident response are reasonably comprehensive, the most frequently mentioned actions tend to be more reactive, with proactive measures being less common. The report also highlights that communications and public engagement plans are much less widespread than other actions, even among large businesses.
Swift strategic action is vital in the event of a security incident. SMBs and SMEs can achieve this through a robust approach covering six key steps:
1. Preparation
Just as planning is critical to the success of other business operations, the development of an incident response plan is a key aspect of good cyber security. Careful preparation and planning of systems and procedures should include actions such as creating key processes, developing incident response drill scenarios and employee training.
2. Identification
Identification is the stage at which you ascertain whether your business has been breached and the level, if any, of the compromise of your systems. This also includes documenting and reporting incidents as quickly as possible, as part of your formal breach notification process, gathering evidence and ensuring that all the relevant people are ready to take action.
3. Containment
At this stage, businesses act to isolate threats in order to limit any additional damage from the incident and to prevent the destruction of evidence. This typically involves short-term and long-term containment and system back-up.
4. Eradication
Businesses must identify the cause of the incident and remove malware or other threats introduced by the attacks, as well as restoring all the affected systems to prevent similar attacks in the future.
5. Recovery
Affected systems and devices are restored and returned to their full working status. This is the phase in which businesses can start operating again without creating the risk of further incidents. Key actions include assessing whether systems have been patched, hardened and tested, if they are being restored from trustworthy back-ups, plus adopting tools that will help prevent similar attacks.
6. Lessons learned
The final stage of the incident response process provides valuable insight for small businesses. All incident response team members discuss learning points gained from the incident and analyse and document every aspect of it. This allows businesses to assess what worked well and what didn’t, informing strategy for the future.
Protecting your business with incident response planning
The first step outlined above, incident response planning, is essential to protecting your business, whatever the size or industry. An incident response plan is a document which establishes a strategy to guide your company’s actions following a security incident. Your incident response plan should clearly and comprehensively communicate the actions your business needs to complete after a cyber-attack, covering different scenarios.
Having a good incident response plan in place enables your organisation to become better prepared to respond to issues such as Business Email Compromise, insider threats, ransomware and supply chain attacks.
An incident response plan for small businesses should include guidance for:
- Assigning responsibilities to particular people
- Outlining technical protocols and escalation points
- Planning for resource gathering and documentation
- Establishing communications and notification procedures
- Determining a review and testing schedule
What is an incident response retainer?
Failing to adequately invest in cyber incident response is a false economy. Overlooking this area of security can result in higher costs and added pressure when seeking to find support in the event of an incident. A retainer can help small businesses better manage the costs and processes involved with achieving effective cyber incident response, and provide access to expert cyber security services that can lessen the burden on in-house teams.
An incident response retainer with a trusted partner offers some key advantages. As well as establishing a valuable long-term working relationship, the retainer sets out clear standards of service for your company. It also means that your organisation is ready to act quickly and effectively when and if an incident occurs. This reduces the risks of business disruption and the high costs of an incident.
When choosing a partner for an incident response retainer, it is essential to assess the scope of the services provided. The retainer should provide good value for money and include support from proven experts and flexible incident response capabilities.
How Kroll can help
Kroll is the global incident response leader – responding to over 3,000 security events every year. Kroll is well-placed to help you respond effectively to many types of incidents and enhance your organisation’s incident response procedures to help your organisation respond faster and more effectively to security incidents. Our flexible incident response retainers provide elite digital forensics and incident response capabilities on-demand with a transparent pricing model to ensure you achieve value for money.