In the event of a cyber emergency, it is important to have a fast, deliberate response – incident response. What does it involve? You can find out here. We also give a few concrete tips on how to optimize them.

First of all, we hope you never need an incident response. But as with all emergencies, cyber emergencies are better prepared to cope with them. We would like to contribute to this with this article.

If you know what needs to be done and have already made arrangements for your incident response, your company can get back to productive everyday life more quickly in the event of an emergency. At the same time, you can better keep calm in the hustle and bustle of a cyber emergency, act more thoughtfully and give others orientation.

Particularly important: The right, specialized contact persons

Cybercriminals often penetrate deep into the system they attack. For example, to make their ransom demand as unavoidable as possible through a comprehensive ransomware attack. Or to be able to attack again after an incomplete removal of the malware. Therefore, we strongly recommend that you consult appropriately specialized cybersecurity or IT forensics professionals in a cyber emergency.

Basic considerations for your company’s incident response

The best way to estimate how important good incident response is for your company is to do it yourself. What damage would a cyber emergency cause? For example: If all computers, servers, printers and other systems such as computer-controlled production lines fail. If you can no longer access your customer data or incoming orders no longer arrive in your system.

These considerations are rarely pleasant. But on the basis of this, responsible decisions can be made with regard to incident response. At the same time, these considerations help you to identify data and systems that are particularly worthy of protection.

How an incident response works

Good incident response takes place in three phases: before a cyber emergency, in acute cases and after a cyber emergency. The first phase is particularly important. Because all other measures are based on it.

Phase 1: Measures before a cyber emergency

This phase has a huge advantage: there is no time pressure. You can review and optimize your considerations and your approach at your leisure. Ideally, you will already be supported by specialized experts in the field of cybersecurity or IT forensics.

The key question is: How can damage caused by a cyber attack be avoided or reduced in the best possible way? Of course, the respective measures must be adapted to the specifics of your company. Many of them also have a preventive effect, i.e. they can prevent cyber emergencies.

Typical measures include:

• Optimization of the company’s IT structure to protect sensitive areas in a targeted manner
• Technical review of servers and networks for security vulnerability
• Minimizing organizational security gaps, e.g. due to devices used for work and personal purposes
• Training employees on cybersecurity and how to behave in cyber emergencies
• A contingency plan for fast, structured responses in the event of an emergency
• An emergency contact list of cybersecurity or IT forensics professionals, among others
• A backup strategy that takes into account data loss due to ransomware, among other things

Phase 2: Measures in acute cases

In the event of an emergency, it has to be done quickly. This is because cyber emergencies often cause production stops. However, many hackers rely on precisely this time pressure and “hide” parts of their malware in the system that are difficult to find. Therefore, thoroughness is also of crucial importance in acute cases.

Key measures of incident response in acute cases:

• Analysis of which systems are infected, with which malware, what damage already exists
• Checking how the malware got into the system and whether there are other, perhaps still inactive components
• Closing security gaps, including those caused by the malware itself
• Malware removal
• Recovery of lost data, e.g. via backup

Phase 3: Measures after a cyber emergency

A cyber emergency must be documented and, in most cases, reported to the relevant authorities. It may also affect your customers or partner companies – who will then have to inform you. Last but not least, a cyber emergency shows you where your company’s cybersecurity should be improved.

Common measures taken after a cyber emergency include:

• Documentation of the incident
• If necessary, report to the responsible authorities
• If necessary, report to the insurance company
• If necessary, notification of data subjects, e.g. if customer data could be viewed
• Optimization of cybersecurity through technical measures and training for employees

Our top 3 tips for your incident response

1. Get started. Define: Who is responsible for incident response in your organization? Talk to the appropriate person or department about it. If necessary, contact external experts in the field of cybersecurity or IT forensics and arrange a consultation appointment (often free of charge).
2. Reduce one of your biggest cyber risks. Improve phishing awareness in your organization. Because a legitimate-looking email with a malicious attachment or link is quickly clicked on in the hectic working day. How fast? Perseus offers you a free test of how vulnerable your company is to phishing attacks . On the basis of this, you can plan further steps.
3. Back up your data. Cyber emergencies, such as ransomware, can lead to major data losses. The more up-to-date your back-up data is, the better. IMPORTANT: Always keep at least one backup inaccessible from your system. For example, on an external, unplugged hard drive. This is because in many attacks, backups are specifically searched for in the system and destroyed or encrypted.

Do you have a cyber emergency or would you like to optimize your incident response with us? Then contact our experts at Perseus.

Would you like to take a closer look at the topic of incident response? Then request our free guide “What to do in a cyber emergency”. In it you will find significantly more information than fits in a blog article.