I don't want to talk about endpoint protection, next-gen firewalls, multi-factor authentication, or other security technologies. I also don't want to scold you about what SHOULD have been in place.
Instead I want to offer you some helpful things to consider when managing a cyber-incident.
-
Identify the incident clearly. Was there an incident even? What do we KNOW vs. what do we THINK vs. what might be coincidence?
-
Inform users that they are not in trouble if they are the source of the incident. Cyber incidents can happen to anyone.
-
Secondary information is not useful. Bring in the user(s) that witnessed the incident and speak to them directly.
-
Assign roles for the IRT (incident response team). In smaller organizations, one person might have multiple roles. You should have the following:
-
A single point of contact (SPOC) who will communicate internally and externally
-
A single approver of purchases (mileage, overtime, overnighting devices, hiring cyber...