Cyberattacks are painful, but with the right policies and response, MSPs can help clients get back on track. The key to success is an effective escalation plan to help avert a disaster.
MSPs play a crucial role in helping businesses withstand and recover from cyberattacks. “The right response is critical,” according to Carl J. Mazzanti, CEO of eMazzanti Technologies, a Hoboken, NJ-based cybersecurity MSP.
Given the high stakes, MSPs should establish a formal escalation plan that team members can use to respond swiftly and effectively. Here are eight essential steps:
Step 1: Preplan
Know your client, their industry, regulations, your capabilities, and what specific actions to take. “You can’t spend valuable minutes or hours deciding what to do, whether you need outside assistance and who to contact,” emphasized Jayson Ferron, CIO of Interactive Security Training. “Everything needs to be clearly spelled out ahead of time.”
Step 2: Detect and Analyze the Cyberattack
Carl J. Mazzanti
It’s important to act the instant you detect a cyberattack, Mazzanti urged. Initially, the most critical issue is to assess the type and severity of the incident. This determines the next steps. As bad as ransomware is, it’s obvious when it is present. Other intrusions — such as a compromised router or hidden malware — may require deeper analysis.
Step 3: Contain and Eradicate
Address short- and long-term containment issues. First, consider specific actions to stop the problem from spreading, such as pulling affected devices or curtailing user access. Later, you scan the network and data backups for additional malware while addressing issues like patching and adapting access controls.
Step 4: Notify Relevant Stakeholders
It’s vital to inform all key internal groups — IT staff, developers, executives, etc. — about the breach and how it will affect their departments and customers, Mazzanti said. You may need to notify external groups, such as an insurance provider, law enforcement agency, regulators, or the public (See Step 7 for more).
Step 5: Restore and Recover
Getting business operations back to normal is vital. Understand which systems are critical and which can wait. When a ransomware attack occurs, Ferron said he won’t take chances. “We rebuild the machines from a zero image and scan all the backup files to ensure they don’t contain hidden malware.” In addition, an MSP must focus on IT patches, updates and technical changes that can harden systems. Then, verify and validate systems.
Jay Ferron
Step 6: Investigate
The investigation stage has two components, Ferron noted. First, an MSP must review the incident response process to understand how to improve it. As part of this, do a forensic analysis to examine the incident’s root cause, which will include collecting information for insurance, legal, or regulatory reasons. Second, determine the extent of the damage, including financial losses and reputational damage.
Step 7: Address Reporting Needs
You may need to file an external report to regulatory agencies and other outside organizations. If the breach affected customers or has broader public repercussions, there will likely be a need for more public outreach and communication. Also, keep track of required reporting timeframes. “If you miss them, an insurance company may refuse the claim or fines may follow,” Ferron cautioned.
Step 8: Conduct a Post-mortem Examination
After the dust settles, thoroughly discuss and dissect the event, Mazzanti said. Have a conversation with the affected firm, as well as internally at your MSP about ways to refine and improve future responses. Address technology changes, policy and procedure updates, and how to improve training and awareness.
Featured image: iStock
