Incident Response Shouldn’t Be a Do-It-Yourself Endeavor

Calling an expert for incident response support is like calling the fire department when your kitchen catches on fire. You could, theoretically, go outside, grab a water hose and try to put out the fire yourself. But how much damage would happen in the meantime? And what if the fire spread before you could contain it? Calling in professionals who are trained to fight a fire — or, in our case, a cybersecurity incident — gives you a much better chance of minimizing the damage so you can focus on rebuilding.

We generally associate incident response services with crises such as a ransomware attack or a network breach. But such services are also valuable in preparing for the termination of a long-term or disgruntled employee. Engaging an expert to control the environment can be critical when an employee is in a position to leave behind unwelcome presents, such as a back door for access. 

Even if you have an internal blue team, which very few organizations do, it’s always good to get help from someone on the outside. Professionals who provide incident response services do this every day, and it’s all they do. As a result, they’re going to be much more effective and efficient.

Incident response services are available at various levels, from a zero-dollar retainer that kicks in only if an incident occurs to a fully paid retainer that might include proactive services, such as playbook creation and tabletop exercises. A zero-dollar retainer is basically the fire department: If something catches on fire, responders will show up and put it out, but they’re not going to make sure your fire extinguisher works and your electrical panels are in good shape.

Proactive services are important for several reasons. One is that cybersecurity insurers, having paid out billions of dollars over the past few years, have become extremely particular about who they will reinsure. Having a custom incident response playbook, created by a third-party firm, not only provides step-by-step instructions for an organization but also is valuable for insurance purposes.

Similarly, tabletop exercises prepare teams for what to expect if an incident occurs. Being unprepared for an event is a gut punch, and it’s a huge disservice to the IT team. IT professionals who are prepared, on the other hand, can say, “I know what’s going on. We prepared for this.” Tabletops are also a great opportunity to get executives and other units, such as finance and human resources, involved and reinforces the message that incident response isn’t as simple as just restoring data backups.

Organizations should have two incident response providers that they have vetted in advance. Then, if a need arises and one firm is inundated, the other might be more readily available. For example, one organization might have a 12-hour lead time while the other has a six-hour lead time. That’s pivotal when we’re talking about putting the fire out: The longer it burns, the more damage it will create.

In addition, make sure the company you choose is one that you’re willing to stake your reputation on. This means being confident not only in the partner’s expertise but also in how it will be perceived if an incident occurs and your organization must publicly explain how it has responded.

When an IT incident happens, people tend to be most surprised by the breadth and depth of what occurs. Getting hit with ransomware is like nothing you’ve ever experienced — you come in to work, and the whole place is locked down. You can’t get to anything. You may find out that files have been downloaded without your knowledge. Unfortunately, many people have their heads stuck in the sand, believing that “it will never happen to us.” 

The truth is that no organization is immune. Incident response services, however, give organizations the best odds of overcoming and surviving an incident — ensuring that a small fire doesn’t become a raging inferno.

Story by Mikela Lea, joined CDW in 2015 as a Field Solution Architect for security assessments and is now covering the South. Mikela works directly with sales and clients as an information security subject matter expert for incident response, application security, penetration testing, and compliance and governance.