This quote by Allison Cerra, senior vice president and chief marketing officer of cybersecurity firm McAfee stood out in a post on "Creating A Cyber Incident Response Policy" on the Cyber Security Intelligence website. The complete post is https://www.cybersecurityintelligence.com/blog/creating-a-cyber-incident-response-policy-4678.html.
Every business needs a cyber incident response policy (it may be required by data privacy laws) but small businesses may not have employees with the necessary skills in house, and there is a shortage of security experts. Nevertheless, there are resources online to create a policy, and everyone from the CEO to the receptionist should understand and follow it.
To begin with, a response policy must recognize there are various types of cyber incidents, including
- Data breach by outside hackers or rouge employees.
- Denial of service attack against e-commerce services.
- Ransomware or other extortion attempt.
- Phishing resulting in exposure of personally indentifiable or confidential corporate information.
- Hackers gaining control of social media site and defacing it.
- Lost or stolen personal device with sensitive data.
- Breach of third party site, e.g. cloud.
The first step in creating an incident response plan is to review and address all risks that apply to your system. Once the plan is written, every employee must review and understand it. Any employee who uses a computer - on premises or remotely - must take responsibility for cyber security. This includes recognizing phishing attempts, patching their devices, changing passwords when needed and reporting incidents to the administrator or service provider.
A cyber incident response plan should include information about the firm's Cyber policy; coverage should include breach notification and response expenses and contact information.