Spiros Fatouros, Marsh Africa CEO, says: “Incident response planning is one of the 12 cyber security controls that most cyber insurers ask Marsh clients about during the underwriting process. And rightfully so. Creating and testing a cyber incident response plan before an incident occurs has long been a proven best practice. Persistent and pervasive cyber attacks underscore this need, whether they occur due to bad actors looking for economic gain or state actors working under political motives.”
It is time to say goodbye to the incident response plans of “cyber past” and welcome a new approach.
“As organisations that have experienced a cyber attack are learning, a cyber response is a complicated project to manage. Modern-day cyber incident response plans should be refreshed, with a new focus that takes into account evolving forms of cyber attacks, such as ransomware, and the increased sophistication of cyber attackers,” adds Fatouros.
When developing or updating incident response plans, your organisation will be well served to incorporate new best practices, including:
- Host incident preparation response plans off-network in a location that can be safely accessed by all incident response team members.
Time is a precious commodity when responding to an attack in today’s cyber threat landscape. Attackers will often enter a network and encrypt its data, making it impossible to access any predetermined plans or time-sensitive contractual requirements, preventing the possibility of a rapid response. The ability to quickly access and execute the incident response plan can mean the difference between success and failure.
- Establish a secure, off-network cyber “war room” and communication channel for incident response team members and external incident response vendors to communicate.
Safe and secure communication is extremely important when responding to an attack. Any type of confidential information, including copies of cyber insurance policies, should not be e-mailed or shared on the corporate network. If the network is compromised, this information could fall into attackers’ hands and be used against your organisation. For example, attackers that have located cyber insurance policies have been known to match their extortion demands with cyber policy limits, gained access to credentials and/or attended incident response virtual meetings.
- Build and test response workflows for each type of incident to which your organisation may be exposed.
Incident response tools, resources and protocols are not one size fits all. Responding to an incident is incredibly complex. For example, how an organisation handles a ransomware demand should differ from the response to an accidental data breach. All incident response team members should thoroughly understand – and prepare for – their precise role during a cyber incident.
An agile and modern cyber incident response plan works together with other critical information – such as clearly identified team members and a copy of the cyber insurance policy. When stored on a secure cloud-based platform outside of your organisation’s network, the plan can avoid slow response times and reduce the financial and reputational impact of a cyber incident.
At Marsh, our focus is on helping you to promote better cyber outcomes and to build sustained cyber resilience.
Marsh sponsored the ITWeb Security Summit held on 31 May and 1 June 2022.
Share
Marsh
Marsh is the world’s leading insurance broker and risk advisor. With over 45,000 colleagues operating in 130 countries, Marsh serves commercial and individual clients with data-driven risk solutions and advisory services. Marsh is a business of Marsh McLennan (NYSE: MMC), the world’s leading professional services firm in the areas of risk, strategy and people. With annual revenue over $20 billion, Marsh McLennan helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses: Marsh, Guy Carpenter, Mercer and Oliver Wyman. For more information, visit mmc.com, follow us on LinkedIn and Twitter or subscribe to BRINK.