Why practice should be part of your incident response routine

Data preparedness does not include having a plan in place for cyber incidents. One MSP explains the importance of practicing when planning for possible disaster. Floods, fires and power outages can occur at any hour of the day. Cybersecurity incidents are no exception. An example: RJ2 Technologies was attacked by an intruder at 3:30 AM on Saturday, according to Heather Simek (vice president of the Schaumburg-Ill.-based MSP).
Hackers encrypted servers on both the MSP’s and customer sides in the middle of the night. Simek shared her story with other MSPs at the ChannelCon 2022 panel, “I’ve been Compromised!” Now what?
“There was no history. Simek stated that we were starting from scratch. Although the team had a very high-level incident response strategy in place, there were gaps that they never filled in. They were scrambling, instead of having a solid backup.
Partner vendors were also not prepared, and they had to work with a skeleton team and were slow to respond. She would have had more than a rough idea about what to do during an emergency response, if she had a chance to look back.
Simek stated, “There were many holes, holes that nobody thought about,”
Related Blog: How two MSPs got punched in the mouth–Things you don’t consider until you get hacked
It is one thing to have a plan for a possible disaster, but it is quite another to actually practice it. Simek’s team experienced the same gaps as Simek. Practice will give you the opportunity to identify them. Talking to your partners about their response to disasters is another benefit of practicing. Simek stated, “Find out their plan because you might see an area that they don’t see.”
Simek had the key to a backup of the vendor’s data, which Simek’s team was then able to use to transfer it from the primary to secondary cloud. The MSP was able spin up servers and get the data down from the cloud with that break. This took several weeks.
There are many things to do in a cybersecurity incident. It is nearly impossible to prioritize them all at once. People without a plan may make similar mistakes, such as losing focus, burning out and wasting time. In high stress situations, all physiological responses such as the increase in cortisol, stressors and intensity are normal.
Edlin Garcia, a doctoral student at Indiana University studying mental health and IT professions, said that “your brain is going to attempt to put you in survival mode.” Your brain is protecting you if you respond with “I don’t want this right now,”
It is common to stare blankly at the screen, freeze or stare at the screen when there is a security breach or weather emergency that could threaten a network.
Simek stated that stress is not only going up at the top but also down to the helpdesk engineer who receives calls from customers trying to figure out the problem. It affects everyone.
Understanding the bigger picture and how vendors can help with messaging can reduce stress. But only if there is a clear plan and clear assignments.
A live run-through can be helpful in many ways. People can develop a muscle memory response to low pressure situations if they practice their incident response plan several times per year.
MSPs and MSSPs are limited in time and money. So planning for everything and running each client through monthly drills might not be possible. Start by deciding what you can do to help your clients if they are locked out of their servers.
Andrew Liverman Anderson, CEO, DataStream Insurance, stated, “I think you need be honest about your limits and how much risk you take, not only for yourself but for the hundreds, thousands of businesses you all support.”
He suggests simplifying your system to support your clients and guide them through what should happen during an emergency response. Trend Watch
Practice makes it easier to avoid making mistakes
Blair Dawson, who manages the cybersecurity privacy practice at McDonald’s in Chicago, says that having a plan is only part of data preparation. She assists people with disaster recovery, incident response, and insurance coverage.
Dawson stated, “There’s planning and then there is the practice. This means knowing ahead-of-time who the team members will be handling the incident, their roles, and practicing with them at minimum once a year.”
She has learned that practicing the plan is helpful in avoiding email compromises and ransom events.