Cyber Security
Cyber-incident Preparedness Plan: The Key to Recovering Quickly
Cyber-security threats are an ongoing and increasing risk to public entities:
- The average cost of a cyber-incident for public entities in 2020 was $136,000 nationally.*
- Between 2016 and 2020, the number of cyber-incidents experienced by public entities across the country increased 150 percent.*
- Since 2017, members have reported to MCIT more than 200 data security and cyber-incidents at a cost of more than $1 million.
- The number of cyber-incidents MCIT member reported in 2021 was 11 times that of 2017.
Given this environment, it is crucial for members to establish steps they will take to respond quickly to an incident to prevent it from becoming worse and to restore operations once they are compromised. This is essentially a cyber-incident preparedness plan, much like the organization has for emergencies. The goal is to minimize the time it takes to return to full functionality and to limit the cost of an incident.
Know What You Have, Its Vulnerabilities
Before making a plan, it is important for an organization to understand the hardware and software it has and the largest cyber-vulnerabilities. These can then be addressed or planned for should they become exploited in the future. Organizations are encouraged to create, periodically review and continually update a data inventory that details all equipment being used, data storage locations, including backups, and who has access to the data.
After creating the inventory, it is important to identify the most crucial data and systems and give priority to creating backups for those to help recover the network and data quickly should an incident occur. This is particularly important for a ransomware or cyber-extortion attack. If an organization has offline backups, they can restore operations with no need to pay a ransom to release its data and systems.
It is wise for members to conduct network/system testing. A common tool to test the network is to have a penetration test. These tests replicate what a malicious attacker would do to try to gain access to the organization’s system or network and can identify unknown vulnerabilities. Test results can identify areas needing attention to further strengthen security and inform the incident response plan.
Additionally organizations should implement and review network/system monitoring programs. These can help an organization identify if any breaches or incidents occur. It is difficult to react to an event in a timely manner if it is not identified promptly.
Determine Steps to Recover Quickly
Creating an incident response plan is the next step. When creating an incident response plan, it is important to remember that after an incident occurs, the damage can happen quickly. Members are encouraged to think in terms of minutes and hours rather than days and weeks. Therefore, the more that can be planned and ready before an incident occurs, the less time is lost and the more effective the plan will be.
An incident response plan should include the following:
- Identification of trusted vendors: Identify partners to assist with needed items prior to any compromise or cyber-attack. These parties commonly include data breach investigators (computer forensic experts), call centers for mass communications, public relations experts, legal counsel specializing in data breaches (breach coaches) and others.
- Responsibilities: An internal incident response team should be created including management, technical employees, legal staff or vendors. The plan should be clearly spelled out to ensure everyone responds effectively. This also requires detailed contracts and expectations from any third parties. Prior relationships are vital to a swift response.
- Incident identification and triage: Plans should detail means for identifying that an incident has taken place and what information may have been compromised. Steps in this phase tend to include plans to shut down compromised systems to limit further damage.
- Notification: After a compromise has been identified, members should immediately contact MCIT to initiate a potential claim. Further notifications may be required including contacting members of the organization, vendors, legal counsel, government agencies or the public. The claims process will determine whether a legally defined data breach occurred and the reporting or notification that is required if any.
- Investigation and threat/vulnerability removal: Plans should detail means to identify how the incident occurred and encourage corrective action to help restore systems and prevent similar future incidents.
- Recovery and business continuity: Plans should include means to continue operations. Some of the most severe compromises or attacks can make continued operations difficult or impossible. Sound backup and redundancy systems ensure that downtime is minimal and that information can be quickly restored. Having an accurate data inventory and backup system that is not connected to the organization’s network is vital to recovering from a serious cyber-attack.
Although the incident response plan is generally created by the incident response team, it is important that all employees know at least the basics and importance of the plan. Every employee should know about his or her responsibilities, including methods to report any potential data compromise.
Full employee cooperation is needed to reduce the length of disruptions. When employees also know about basic security concepts, it helps limit the chances of a significant breach.
Cyber-incident Response Plan Resources
Members are encouraged to review existing plans and implement the prevention methods listed above. Resources are plentiful to assist members in their efforts. MCIT recommends these no-cost materials:
- “Essentials of Data Security for Public Entities” (MCIT.org/data-security/). This guide offers more information about data and cyber-security, as well as common attacks and security strategies for a general audience.
- Cybersecurity and Infrastructure Security Agency of the federal government (CISA.gov). It leads the national effort to understand, manage and reduce risk to the cyber and physical infrastructure of the United States. The agency offers a treasure trove of resources to help secure a local government’s IT systems.
- National Cybersecurity Alliance (StaySafeOnline.org). It offers materials to help businesses secure their operations.