Planes de respuesta a incidentes de ciberseguridad para negocios pequeños
Cybersecurity incidents are not limited to large corporations. Small businesses are also at risk for cyber attacks, hacks, data breaches, and other types of cybersecurity incidents. As a small business owner, you should ensure that your business is ready to identify and respond to these attacks. The best way to do that is with a cybersecurity incident response plan (CSIRP). In this article, we'll explain what incident response plans are and how you can build one that works for your small business.
What Is a Cybersecurity Response Plan?
A cybersecurity incident response plan is a set of instructions that explains how your business will respond to cyber attacks like hacks, data breaches, leaks, and more. Incident response plans are designed to help you respond to multiple types of attacks, and they can help your organization avoid severe damage and recover faster.
Why Your Small Business Needs a Response Plan
There are a few reasons why your business needs an incident response plan.
First, a good plan will help your security teams respond efficiently and effectively to an attack. If you don't have one in place, they might struggle to even recognize an attack, let alone respond without making mistakes. Recovering from a cyber attack is a stressful experience, and having a plan that outlines steps, roles, and responsibilities can be an immense help.
There are also situations in which you'll be legally required to notify government agencies or other organizations. Estado data breach notification laws and federal standards like the Health Insurance Portability and Accountability Act (HIPAA) mandate disclosure in the event of a personal information leak. Failing to do so can result in fines or other legal actions. An incident response plan will ensure your business takes the correct steps.
You also need to consider data privacy regulation. Some International Organization for Standardization (ISO) security certifications require that you have a cybersecurity incident response plan in place. There are also government regulations, like the California Consumer Privacy Act, that mandate businesses have a response plan.
How to Create a Cybersecurity Response Plan
There are two frameworks that you can follow when you create your cybersecurity incident response plan: the National Institute of Standards and Technology (NIST) Incident Response Process and the SANS Incident Response Process. Both frameworks are broadly similar, so for the purposes of this article, we'll follow the SANS framework. It's possible that the NIST framework may be better suited to your business, so consult your security experts to formulate the best plan.
The SANS Incident Response Process features six steps:
- Lessons learned
We’ll break down the entire SANS plan, but you can check out their official guide for more inspiration.
Your response plan starts with the preparation phase. In this phase, you'll determine what your CSIRP looks like and ensure that all incident response team members know who to contact during a cyber attack. Incident response training and drills are a key part of this phase-a CSIRP will do you no good if your team does not know how to implement it.
In the identification phase, your security team will decide if activating an incident response plan is warranted. They'll do this by analyzing things like error messages and firewalls.
A key part of the identification phase is ensuring that the correct team members are notified as soon as abnormal activity is detected. This tracks back to the preparation phase: Make sure your team knows who to contact when they spot something fishy.
Once you’ve identified the attack, your team will move to the containment phase. Your security team’s goal is to isolate the attack and prevent any further damage. First, they’ll need to determine if the attack can be isolated and what steps need to be taken if it can. Either way, they’ll also need to back up the compromised systems, as removing malware or viruses from an infected system may require erasing all of the data on the machine.
Eliminating the threat starts naturally in the containment phase and is completed in the eradication phase. Eradication chiefly involves removing the threat from infected systems, disabling infected systems to prevent the attack from spreading across the network, and addressing the vulnerabilities that enabled the attack in the first place.
In the recovery phase, the goal is to get your systems back to their normal, pre-compromised state. Ideally, you'll replace anything that was lost during eradication with clean backups, though there is a chance you'll have lost data during the eradication process. Once your systems are back online, monitor them for any suspicious activity.
6. Lessons learned
With everything back to normal, your response teams should compile the notes and documentation they've recorded since the start of the incident. The result should be a document that outlines the entire incident response process, and it should be easy to understand for people outside of the response team. The response team should also meet with all stakeholders and discuss the incident, the response, and how it could be improved.
How Often Should I Review My Plan?
At minimum, you should review your CSIRP every year, making sure that it is in line with industry best practices. There may be situations where more frequent reviews are required, such as when you need to adapt to new regulations or if the members of your internal security team change.
Incident Response Plan Templates and Examples
For response plan templates, the FCC’s Small Biz Cyber Planner 2.0 is a fantastic resource. You can use it to create and customize your own plan, and the FCC has a Cybersecurity Tip Sheet full of expert advice.
You can also use the following examples for inspiration:
- U.S. Department of Homeland Security National Cyber Incident Response Plan
- Minnesota Department of Agriculture Incident Response Plan for Agricultural Chemicals
- University at Buffalo Information Security Incident Response Plan
- Carnegie Mellon Computer Security Incident Response Plan