What is a cyber-preparedness plan?
Integral to enterprise risk management is cyber preparedness — or an organization’s level of preparedness when it comes to handling cyber attacks. Preparedness generally involves defining the steps taken before an incident, as well as those needed during and after the incident. In this article, we look at actions to take during a cyber attack. View related articles for measures to take before and after the incident.
Actions during an attack
The first action during a cyber attack is its detection. Because many attacks are by themselves not disruptive — focusing instead on copying sensitive information, sometimes over long periods of time — they leave few clues to their existence.
This requires that organizations have procedures that allow them to both notice unusual events and receive reports of such events. Training to help IT staff spot suspicious events — such as the requisition of an additional MFA-registered device — and use of event management and user behavior analysis tools that flag breadcrumbs left by ongoing attacks both allow for further investigation and detection.
Once an attack has been detected, it needs to be categorized and prioritized, and responses planned under the cyber security policy need to be initiated.
The real challenge, however, is responding to cyber attacks rapidly and effectively. Organizations therefore must prepare an easily accessible incident response (IR) plan that includes response guides for various scenarios and must have staff onboard to coordinate the IR.
The IR should include internal responses, utilization of service-level agreements with external cyber security experts, and informing and working with law-enforcement agencies to achieve attack mitigation.
To learn more about cyber security preparedness before, during and after an attack, check out Arrow’s ebook, “Under Attack: The Evolution of Cyber Security.”