Moore Together: Do your clients have a CSIRP in place?

Moore-Together-Graphic.jpgMoore Stephens North America is comprised of over 40 member firms that provide key services across a wide variety of industries and niches. This month’s “Moore Together” is a collaboration between three subject matter experts in cybersecurity: Carl Cadregari with The Bonadio Group, Kevin Ricci with Citrin Cooperman and Joe Welker with Rea & Associates.
 

Baylor College of Medicine applicants’ personally identifiable data found on publicly available website; Local Salvation Army website updated after personal information released; Former Yahoo CEO apologizes for data breach and blames Russians; Kansas agency’s data restored after ransomware attack; Equifax data breach affects 143 million…these are real headlines and the message is the same: no one is immune to cybersecurity attacks.

When a business owner is handed the bill after an attack, chances are that it will consist of a nightmarish list of expenses, including costs associated with fines and penalties, especially if sensitive information related to healthcare (HIPAA) or credit card data (PCI) was stolen. There will be costs related to forensic and legal services as well as possible notification costs to customers whose information was compromised. Then there is the loss of revenue when productivity grinds to a halt during the time required to investigate and remediate the breach. 

But the most staggering cost, one that may not immediately come to mind, is the reputational damage incurred after an attack. Being in the news for a data breach can have a devastating impact, because at the end of the day, customers are not going to want to do business with a company that can’t protect their information. And while there is no silver bullet to stop an incident from occurring, an incident response plan can significantly limit the resulting damage and get a business up and running again in the most expeditious timeframe possible.

Kevin Ricci, director at Citrin Cooperman, helped a client learn the value and importance of having a response plan after they experienced an incident. When the company initially realized that their network was under attack, management attempted to find the contact information for their attorney and IT helpdesk contact as well as warranty and other technical documentation. They quickly realized, however, that all of the information they needed was located on – you guessed it – their compromised server. Without immediate access to that information, precious time ticked away as they scrambled to piece together what they needed to start the recovery process.  Further compounding the situation, management was unable to access the cloud backup solution, as what little documentation existed was fragmented and devoid of necessary detail. At that point, the Citrin Cooperman team was brought in to assist, and although they were able to get the client back up and running, the overall recovery time was exponentially longer than it needed to because of the lack of a comprehensive response plan. 

With instances like this occurring on a regular basis, all organizations regardless of their size or vertical market, should implement a documented Computer Security Incident Response Plan (CSIRP).

The purpose of a CSIRP is to provide practical guidelines and actionable steps to respond to an incident or an event effectively, efficiently and consistently. It provides a needed, and in many cases legally required, framework to bring the needed internal and external resources together in a repeatable and organized manner to address the myriad of possible events related to reporting, managing, communicating and learning from a cybersecurity or data disclosure, breach or other incident.
 
Examples of Adverse Events:
  • Malicious code attacks (malware)
  • Ransomware attacks, unauthorized access (malicious employee or a hacker) to the computer systems
  • Unauthorized utilization of your web services
  • Denial of service attacks
  • General misuse of systems
  • Loss of sensitive or confidential data (lost cell phone, laptop, USB drive)
  • A breach of legally or regulatory controlled data
  • Hoaxes (phishing, social engineering attacks)

What constitutes an adverse event must be decided by each organization; however, the list will likely contain items and events such as malicious code attacks (malware), ransomware attacks, or unauthorized access (malicious employee or a hacker) to the computer systems, among others.

Key elements of a good plan include critical contact information and executable recovery steps for different scenarios such as ransomware or catastrophic facility loss.  The plan needs to be available at a secure offsite location and should be periodically discussed and tested to the fullest extent possible by all key members of the company and not just the IT Department. The investment of effort and time put into developing this plan will pay tremendous dividends in the event of an incident, and could be the difference between a rapid recovery and a prolonged - and possibly permanent - disaster for a business.

Joe Welker, IT audit manager with Rea & Associates, recalls an event involving a small city in Ohio several years ago. The entity operated city services on a single virtualized server and did not have an Incident Response Plan in place. So, when that server shut down as a result of a ransomware attack, they called Joe and his team.

They were informed by the city’s Finance Manager that a law enforcement officer was doing his/her job and used the computer’s browser to load an infected web URL which compromised both the workstation and the attached server. The infection affected the physical server which in turn made all virtual servers non-functioning. The Rea & Associates team helped implement the Incident Response Plan, including contacting the FBI and the city attorney.

In addition to emphasizing the importance of an entity having an Incident Response Plan, Joe also considers it best practice for government entities who support a law enforcement agency to provide a separate internet connection for law enforcement work.

Carl Cadregari, practice leader of The Bonadio Group’s IT/IS Enterprise Risk Management Team provides an important disclaimer: Don’t forget that this document is a “living” document and is intended to provide a practical guide to your Team with details for actionable and recordable procedures in the event of an incident. As with any working document, it is recommended that these procedures be periodically reviewed and tested at least twice a year to ensure efficacy, adequacy and relevance to current business operations.

To learn more about computer security incident response plans (CSIRPs) or other cybersecurity issues, please contact Carl Cadregari with The Bonadio Group, Kevin Ricci with Citrin Cooperman or Joe Welker with Rea & Associates.

We’re great alone, but we’re “Moore Together!” If you would like to collaborate with other members, or if you have a topic you would like to address, please contact Laura Ponath.