A cybersecurity breach costs on average $3.5 million. Typically, it goes undetected for 209 days, and it takes 32 days to respond appropriately once it has been detected . To make matters worse, there is a one million person shortfall in security experts, according to CISCO .
So whether or not your organization is prepared for a cyberattack could be the difference between success and failure. Here’s the outline of a plan:
The most important part of a plan is the objective.
What part of your business do you want to protect? Is protecting your reputation the number one priority? Or protecting revenues? Uptime for your customers’ services?
Once this high-level objective has been established, identify which technical services you will need to maintain to achieve that.
Ask yourself: what parts of my IT estate are critical for ensuring customer uptime? What can I live without? How long can I live without them? What people do I need to maintain my key assets and are they familiar with the plan? If not, make sure they are familiar and that they practice drills to prepare themselves for a real event.
Know what you want to defend and prioritize accordingly.
A multi-tiered approach can be useful. A household analogy works well: if your business is an entire house, you want all the doors and windows to be locked. But you know this won’t stop all thieves, so you have a second line of a defence: a burglar alarm. But the crooks could still get away with your most valuable items before the police arrive, so your key assets can be stored in a safe.
Explore your vulnerabilities. Could your users be exploited? Could someone gain access via a third party? Are some systems particularly old with weaker security?
It goes without saying that, once set up, test your defenses to make sure that they are sufficient.
How will you know if you are being attacked?
Assess your available resources and potential threats (given your plan, as above), and determine what processes need to be monitored, and to what extent.
Ensure that this monitoring and reporting feeds into your security operations centre (SOC) and is integrated together with your existing incident management processes, so that the left hand knows what the right hand is doing – and the appropriate alerts are raised.
Capture the relevant data that correlate with the potential threats that you have determined and ensure you have the expertise and technology to analyse these data sets. For this it’s crucial that you’re monitoring across your entire system.
Once you have detected a cyberattack, it’s time to implement your plan – decisively, but flexibly.
Ensure approval for all necessary activities, executive decisions and required resources. Make sure that someone is delivering regular reports so that the plan can be altered based on relevant developments.
Then deploy your emergency change processes: essentially, pulling up the drawbridge to ensure that the breach can’t be made any worse.
Communication is of the essence in these scenarios. Internally, ensure staff are equipped to answer any queries from either customers or the media. Deploy a reporting schedule that keeps all relevant individuals regularly up-to-date with hourly or daily updates. Externally, if the breach is sufficiently large, prepare a press release that explains that there has been a breach, and what you are doing to minimize the damage.
Lastly, get forensic: find out exactly which machines were affected and how – so you can stop it happening again in the future.
Once your plan has been executed and the cyberattack has ceased or been resolved it’s unwise to try to get back up and running as quickly as possible.
It’s crucial that your systems are repeatedly tested, any leftover problems then remediated, and tested again.
Once testing has been passed, put together a ‘go-live checklist’ – rigorously approved at the executive level – which you can cautiously go down, keeping your finger on the pulse of your systems as you do so. Your patient has just gone through major surgery – don’t rush it!
Over the longer term, decide on what improvements you can make to your system – at the detection, reaction, and/or recovery levels – and invest appropriately.
Finally, don’t forget your customers. Continue keeping them up-to-date with what’s going on.
 Mandiant M-Trends Report: Ponemon Institute – Cost of Data Breach Study
 CISCO Annual Security Report 2014