How to create a cyber incident response plan when you have a hybrid workforce
Organisations that adopted hybrid working during the pandemic have had to adjust many policies and processes, but one that they may have overlooked is their CIR (cyber incident response) plan.
Before the pandemic, you could safely assume that most employees were based in the office and therefore a controlled environments.
That made planning for disruptions comparatively straightforward: you knew where everyone was located, you had complete visibility over your threat landscape and you could communicate with everyone directly.
But hybrid working complicates that. Although it comes with huge logistical and financial benefits – plus it makes employees happier – it also creates new risks that organisations must plan for.
In this blog, we take a look at some of the problems you will encounter and provide tips to help you address them.
Protect your communication channels
Being able to communicate with incident responders is one of the most important elements of an effective CIR plan.
In a crisis, the team must be reachable to ensure the plan is enacted and to manage how it unfolds. They might, for example, need to approve additional actions or adjust the plan depending on the organisation’s ability to complete certain actions.
Similarly, most incident response plans involve or effect third parties, such as Cloud service providers, hosting providers, outside counsel and communication platforms.
These must all be managed, with actions being implemented depending on the nature of the disruption.
But problems might arise if the organisation’s email platform or telecommunications service is affected. Most CIR plans involve one point of contact with whom employees should coordinate the response effort.
However, a hybrid workforce means employees will be dispersed, and it risks the possibility of them being unreachable.
This is a particular problem because remote employees typically don’t have a line of communication that’s separate from the IT infrastructure.
One way to address this is to provide key members of the response effort with work phones. This ensures that they can be contacted no matter where they are, and gives them a chance to coordinate their team’s response.
Educate employees on their responsibilities
For an incident response plan to be successful, employees must understand what’s expected of them.
This is even more important in a hybrid work scenario, because remote employees can’t rely on the sort of step-by-step guidance that might be possible if they were in the office. Instead, they must have the wherewithal to complete any necessary processes themselves.
So how should organisations approach employee education? Heath Renfrow, the director and vCISO at the Crypsis Group, notes that with hybrid working organisations are used to the idea of dispersed workforces.
As such, “conducting tabletop and disaster recovery exercises with everyone remote may be an adaptation, but it isn’t an insurmountable one”.
He pointed to organisations’ overall ability to adapt to remote working during the pandemic, and said that staff training can be performed with the same technologies that are already in use.
Organisations can also teach their staff about the fundamentals of incident response with our Cyber Incident Response Management (CIRM) Foundation Training Course.
This one-day course provides a full introduction to developing a cyber incident response plan. Our experts will show you how to manage and react to business disruptions, including:
- How to recognise common cyber threats and understand threat actors;
- The components of the cyber kill chain; and
- How to define the structure roles and responsibilities of the cyber incident response team.
Beware of elevated privileges
As we’ve previously discussed, hybrid working introduces new cyber security risks. One you have to be particularly concerned about when developing an incident response plan relates to the privileges afforded to your employees.
Before the pandemic, an organisation’s incident response team would likely have been office-based, so they could be physically present to address disruptions or contact a remote specialist to investigate the problem.
This ensures that experts are the ones looking into the incident and performing any necessary remediation.
But when organisations were forced to adopt remote working, this became an issue. Key employees weren’t able to be in the office, so organisations responded by granting elevated privileges to home-based staff.
Doing so simplifies the incident response process, giving employees the ability to perform actions that would previously been possible by people with admin rights – but it introduces significant risks.
If an account with elevated privileges is compromised, it makes it easier for the attacker to cause greater damage and may reduce the need for them to perform more complex attacks to elevate their privilege.
Despite the risk, many organisations have resorted to elevating privileges. According to a Netwrix study, 85% of CISO said they sidestepped existing cyber security controls in order to support their remote workforces.
The alternative is to use a remote desktop service, handing control to a member of your incident response or IT team. This will be time-consuming, and will result in a longer recovery time, but it is a much safer option and mitigates the risk of a breach occurring.
Looking for more advice?
You can learn more about the compliance risks of hybrid working by watching How to Navigate and Implement a Successful Hybrid Workforce .
Presented by IT Governance’s founder and executive chairman, Alan Calder, this presentation explains:
- How the shift to hybrid working impacts organisations;
- The privacy and cyber security risks organisations face during and after the transition to a hybrid working model;
- Key areas organisations must consider when operating under a hybrid working model; and
- Six practical steps to successfully implement hybrid working.