Why an incident response plan is a must-have

Transparency and communication are critical when responding to cybersecurity incidents.

Doris Au, Product Marketing Manager, Barracuda MSP

When companies consider their cybersecurity vulnerabilities and how they would respond to ransomware or other attack types, the focus is often on technology (threat detection and mitigation systems) and restoration (bringing servers back online, retrieving data from offsite storage). But communication is a critical part of incident response and something companies often do a poor job of in the aftermath of an attack.

Many SMBs lack an incident response plan, which can compound the damage done by these attacks. Some companies think that having secure offsite backup and recovery solutions in place is all they need. But because these attacks have become so ubiquitous, complex, and dangerous, restoration is one of the last pieces of the incident response puzzle.

Time-to-response is much more important because the damage done to an organization’s finances and reputation between the time the attack commences and when it’s detected can be crippling. Moreover, the impact can be worse if the company doesn’t effectively communicate what’s happening to staff and customers.

The role of an MSP has evolved in the past couple of years. In conjunction with security service offerings, they are now being asked to respond to and reduce the time between the initial attack and recovery. Technology plays a part (you need advanced tools to detect attacks and begin mitigation strategies automatically) and having a plan so that key staff members know what they need to do and when they need to do it, can minimize the damage and begin the restoration process. 

Tools like Barracuda Incident Response and Barracuda SKOUT Managed XDR can help automate and manage some of these activities, such as identifying the attack and remediation. These systems accelerate the response, limit damage and help companies learn from each episode to improve their security profile and response plan. And while the technical staff is busy responding to the attack, senior management must be as transparent as possible so that employees and customers know what the problem is, how the company is managing the problem, and how they will handle any disruptions.

Unfriendly Skies

One example of a good incident response and communication plan is when low-cost Canadian carrier Sunwing Airlines was hacked, leading to flight delays that left many passengers stranded. 

According to the company, the system used for check-ins and boarding was breached, which resulted in critical failures. As a result, the airline switched to manually processing flights, which meant long delays. With margins razor-thin, this type of disaster can be fatal for an airline, particularly a budget carrier.

While customers fumed, the company CEO served as the primary spokesperson to communicate updates and explain what was happening with the software provider. The company was open about the problem, shared regular updates, and provided travel and hotel vouchers (for stranded passengers) and reimbursements for canceled flights. Unfortunately, there were delays in getting the system back up and running because authorities in Canada and the U.S. wanted to ensure the system’s security, as sensitive customer information was held within. During this process, the airline was just as much in the dark as customers when it came to getting information from the software provider – and the company openly let everyone know.

While it will be some time before we see the full extent of the fallout from the Sunwing attack (financial impact, how the relationship with the vendor will change, etc.), there are a few lessons to take from how the company handled the response. 

First, the company quickly explained the problem, and although its brand had been tarnished, it was as open as possible with customers who were suffering the effects of the breach. Second, it established remedies so that customers knew they would be assisted and compensated for the inconvenience. 

Communication is key

For MSPs working with smaller companies, helping them establish a breach communication protocol is vital. There should be a clear chain of command that includes senior management and public relations staff so that information can be quickly and accurately shared internally and externally.  

Help clients establish who is on their incident response team; create workflow maps designating specific roles and step-by-step action items; and include a chain of communication to inform everyone of current conditions and next steps.

The decision to go public may vary depending on industry and regulatory requirements. Still, given the speed of information, this type of news can quickly get out ahead of the formal response. So be prepared to get the message out to staff, customers, the authorities, and the general public as soon as possible.

Cyberattacks are increasingly costly and damaging to brand reputation. However, a good communication plan – coupled with the right technology to detect and respond to the attack – can mean the difference between a painful (but brief) disruption and a catastrophe. MSPs can help their SMB clients by providing advanced detection and response solutions and offering guidance when it comes to a holistic incident response plan.

Doris Au is a Product Marketing Manager for Barracuda MSP. In this role, she connects MSPs with IT solutions that helps them deliver multi-layered security services that their SMB customers need.