Table of Contents
Cyber attacks have become an everyday occurrence. Businesses of all sizes are feeling the pressure of balancing tight budgets while investing in the necessary cyber attack esponse measures to protect against threats.
Perhaps the biggest return-on-investment (ROI) is equipping employees with the necessary skills and knowledge to detect and respond to security incidents. After all, they will be the ones who encounter suspicious activities firsthand and can act as the first line of defense.
This article will explore three practical behaviors every employee should learn to strengthen their role in the organization’s cyber security efforts.
Behavior 1: Take Steps for Immediate Containment of the Cyber Incident
The first cyber security incident response step is containment. Once a security breach is detected, employees must know how to limit its impact by isolating the affected systems and networks. By containing the threat quickly, organizations can minimize the damage, protect unaffected systems, and buy time to investigate and respond appropriately.
Some critical first steps employees may have to take when responding to an incident include:
- Isolate affected systems: Immediately disconnect infected or compromised devices from the network to prevent the attacker from accessing other systems and data.
- Disable compromised accounts: Temporarily disable user accounts that may have been compromised to prevent unauthorized access and further malicious activity.
- Block malicious IP addresses: Identify and block IP addresses associated with the attack to stop further intrusion attempts.
Behavior 2: Report and Escalate the Cyber Incident
Regardless of the security training employees receive, they can’t respond to an incident by themselves. Organizations must have well established protocols for escalating incidents to the appropriate parties, which may include an internal IT security team, law enforcement, or a third-party cyber attack response provider.
Internal Reporting:
- Notify IT security: Employees should immediately report any suspected security incident to the IT security team through designated channels (e.g., a dedicated email address, hotline, or incident reporting system).
- Inform management: Key management personnel should be informed of the incident to ensure they are aware of the situation and can provide necessary support.
Involving Additional Resources:
- Activate incident response plan: The IT security team should activate the incident response plan, mobilizing the internal cyber attack response team and resources.
- Consulting with legal and compliance teams: Involve the legal and compliance teams to ensure all regulatory and legal requirements are met.
Engaging External Parties:
- Third-party incident response providers: If the incident is severe or beyond the internal team’s capabilities, engage third-party incident response providers for additional expertise and resources.
- Law enforcement: In cases involving criminal activity, such as data theft or ransomware, notify law enforcement agencies to assist with investigation and potential prosecution of the attackers.
- Regulatory bodies: Report the incident to relevant regulatory bodies if required by law, ensuring compliance with data breach notification regulations.
Behavior 3: Do not Tamper with Evidence Related to the Cyber Incident
The best cyber security behavior for an employee after reporting the incident is not to do any investigation on their own and leave the matter to experts. Employees should be trained to detect and report an incident, but anything beyond that is out of scope for them.
Digital data is very volatile, and even slight tampering can compromise its integrity, making it difficult or impossible for forensic experts to accurately analyze the incident. This can hinder the identification of the root cause, obscure the actions of the perpetrators, and ultimately undermine legal proceedings.
Employees should understand the importance of evidence preservation and know how to properly collect and document evidence if instructed to do so by the IT or security team. Here are some guidelines:
- Create disk images: Make exact copies of the affected systems’ hard drives to preserve the state of the system at the time of the incident.
- Capture network traffic logs: Record network traffic to capture any malicious activity or communications that occurred during the incident.
- Take screenshots: Document relevant data by taking screenshots of error messages, suspicious activities, or any unusual occurrences observed during the incident.
- Document everything: Keep detailed notes on what was observed, when it was observed, and any actions taken. This documentation is crucial for reconstructing the incident.
A well-documented chain of custody is also necessary to maintain the integrity and admissibility of the evidence. A chain of custody is established by labeling and securing evidence, maintaining a detailed log of every instance of evidence access, and restricting access to the evidence to only those individuals who are directly involved in the investigation.
Empowering Employee Response to Security Incidents
Employees play a critical role in incident response. Each organization needs a well-defined incident response plan that employees can follow during security incidents. The cyber attack response plan should outline the steps and behaviors covered in this article, from how to contain the breach and prevent further damage, and instructions on escalating the issue to the appropriate parties.