Best practices for cyber incident readiness: Marsh

Spiros Fatouros, Marsh Africa CEO.

---

Spiros Fatouros, Marsh Africa CEO, says: “Incident response planning is one of the 12 cyber security controls that most cyber insurers ask Marsh clients about during the underwriting process. And rightfully so. Creating and testing a cyber incident response plan before an incident occurs has long been a proven best practice. Persistent and pervasive cyber attacks underscore this need, whether they occur due to bad actors looking for economic gain or state actors working under political motives.”

It is time to say goodbye to the incident response plans of “cyber past” and welcome a new approach.

“As organisations that have experienced a cyber attack are learning, a cyber response is a complicated project to manage. Modern-day cyber incident response plans should be refreshed, with a new focus that takes into account evolving forms of cyber attacks, such as ransomware, and the increased sophistication of cyber attackers,” adds Fatouros.

When developing or updating incident response plans, your organisation will be well served to incorporate new best practices, including:

• Host incident preparation response plans off-network in a location that can be safely accessed by all incident response team members.

Time is a precious commodity when responding to an attack in today’s cyber threat landscape. Attackers will often enter a network and encrypt its data, making it impossible to access any predetermined plans or time-sensitive contractual requirements, preventing the possibility of a rapid response. The ability to quickly access and execute the incident response plan can mean the difference between success and failure.

• Establish a secure, off-network cyber “war room” and communication channel for incident response team members and external incident response vendors to communicate.

Safe and secure communication is extremely important when responding to an attack. Any type of confidential information, including copies of cyber insurance policies, should not be e-mailed or shared on the corporate network. If the network is compromised, this information could fall into attackers’ hands and be used against your organisation. For example, attackers that have located cyber insurance policies have been known to match their extortion demands with cyber policy limits, gained access to credentials and/or attended incident response virtual meetings.

• Build and test response workflows for each type of incident to which your organisation may be exposed.

Incident response tools, resources and protocols are not one size fits all. Responding to an incident is incredibly complex. For example, how an organisation handles a ransomware demand should differ from the response to an accidental data breach. All incident response team members should thoroughly understand – and prepare for – their precise role during a cyber incident.

An agile and modern cyber incident response plan works together with other critical information – such as clearly identified team members and a copy of the cyber insurance policy. When stored on a secure cloud-based platform outside of your organisation’s network, the plan can avoid slow response times and reduce the financial and reputational impact of a cyber incident.

At Marsh, our focus is on helping you to promote better cyber outcomes and to build sustained cyber resilience.

Marsh sponsored the ITWeb Security Summit held on 31 May and 1 June 2022.