Is your Credit Union’s Incident Response Plan Ready for a Cyber Attack?
Credit Union cybersecurity is becoming increasingly important. It seems like almost every day we read about a new data breach or organization becoming the victim of a ransomware attack. In fact, according to Beazley Breach Response, there was a 105% increase in ransomware attacks in Q1 2019 and an increase of 93% in the average ransom demanded or paid. Given the current threat environment, it is crucial that Credit Unions have a strong, tested incident response plan ready if the worst should happen.
During an information security incident, or cyber-attack, stress levels can run high and the event can move quickly. It is crucial the Incident Response plan be as detailed as possible on what steps to take, who to contact, and also include what not to do. Responding to a security incident is different than recovering from an incident such as a hardware failure. Taking the wrong action can destroy evidence that identifies the vector of the attack or aid in legal proceedings against the malicious actor. Your Incident Response Plan should contain the following:
- A process for identifying and categorizing an incident
- A clearly defined Incident Response Team, and contact information for all members of the team, including detailed descriptions of roles and responsibilities for each member and department
- Definition of who at the Credit Union is authorized to declare the incident and activate the Incident Response Team
- Detailed steps to contain, investigate, and recover from the incident including internal communication plans and methods
- A clearly defined external communication plan and contact information for third party response services, vendors, law enforcement and regulatory agencies
- Forms to log the incident and all activities taken during the incident. Logging all activities is crucial in the post-recovery phase and for potential legal action after the incident
- A process to evaluate the incident and improve security post-incident
It is important to include alternative methods of communication and Incident Response plan retrieval should the team not be able to access the Credit Union’s information systems. Hard copies or an externally hosted site are good options.
Management also needs to ensure that the Incident Response Team is clearly defined and contains the correct team members. All team members must be familiar with their roles and responsibilities. The team should consist, at a minimum, of the following members and have the authority to include other employees and departments as necessary:
- Chief Technology Officer/Chief Information Officer
- Information Security Officer
- Senior Network Engineer, System Engineer, Core staff
- Network Security Team
- A staff member defined as the Incident Response Team Coordinator to handle all communications with the team and staff
- Senior Management
- Human Resources
- Public Relations/Communications
Once your Credit Union has the Incident Response Plan in place, it needs to be tested at least annually with all primary and alternate team members. This testing ensures that all members know their roles and responsibilities, gaps are identified in the plan, and the process is not foreign to the team members during an incident. One of the best ways to test the plan is with a Cyber Table Top Exercise. The exercise should be run by someone not on the team but with experience in cybersecurity and include multiple scenarios. This will help the team members to play out the scenario in a more realistic way. At the end of the exercise, management should review the plan and update it as necessary.
One final note. Although the Incident Response Plan is a separate document and plan, it ties in very closely with the Credit Union’s Business Continuity Plan and Disaster Recovery Plan. Depending on the type of incident and impact to the Credit Union’s services, the BCP and DR processes may be invoked as part of the recovery, so those plans need to be in tip-top shape as well.
The Incident Response Plan is one of those things that we never hope to have to use, but the time spent making it great will pay dividends when it is required. If you have any questions or need more information, please reach out to the Ongoing Operations CISO as a Service team.