The Importance of an Incident Response Retainer (IRR)
Brett Seals
in Connect on LinkedIn
A data breach, on average, costs a business about $4.35 million. With cybersecurity threats and ransomware attacks increasing yearly, business leaders within large industrial utilities have been motivated to make hard decisions to improve their cyber defenses.
Having an incident response retainer (IRR) in place can aid in protecting your assets. Prior to an attack, an incident responder gathers the appropriate information about your organization, network map, asset list, operational data and security controls in your environment, which will allow the responder to quickly address the attack.
In this Q&A, Brett Seals, senior cybersecurity consultant at 1898 & Co., helps shed light on IRRs and how 1898 & Co. approached cyberattacks.
“There is no cyber insurance on reputational damage.”
— Brett Seals
Q: What are the benefits of an IRR?
A: There are multiple benefits to having an IRR. Other than the fact that it is having a proactive plan that will prepare you for potential cyber incidents and reduce the impact and downtime of an attack, the rapid response is a definite benefit. A retainer can also provide you with a pool of skilled professionals with specialized knowledge and experience in industrial control systems. If you have industry-specific compliance requirements, your incident response retainer provider can help you achieve those goals and minimize any kind of fines or penalties. The ongoing support of an IRR can also enhance your reputation among stakeholders and customers by demonstrating your strong commitment to strong cybersecurity practices.
Q: How do I have time to handle taking all necessary precautions against cyberattacks?
A: One individual won’t have time to protect their business against such incidents; that is why having an IRR is important. To effectively respond to incidents you have to have a mature cybersecurity program to combat adversaries with unlimited time and unlimited resources to breach your environment. To go further, these attacks are coming from multiple avenues, and having a third-party team dedicated to such incidents allows safer outcomes because business leaders are limited, to some degree, by the economics of business decisions. One individual wouldn’t be able to perform all these activities, but with a good plan, training and the development of cybersecurity maturity within your industrial control network, you have a chance of being able to divide that time up appropriately among your in-house staff and IRR provider.
Q: What are the pros and cons of only having cyber insurance rather than an IRR?
A: There is no cyber insurance for reputational damage. With cyber insurance, you might be able to receive some monetary compensation for damages but that’s also an extremely reactive measure for you to take — it’s not a proactive measure for you to be able to get out in front of the attack, minimize the likelihood of it occurring, and then recover efficiently and effectively. That is what you get when you have an IRR. As a matter of fact, there are a lot of cyber insurance organizations that provide discounts if you show them that you’re proactive about your cybersecurity program.
Q: Would an IRR from 1898 & Co. cover both IT and OT networks? If so, how does the approach to responding to OT differ from IT?
A: Yes, 1898 & Co. is capable of providing an IRR for both IT and OT. The way we approach responding to OT is much more delicate than the way we approach IT. The OT environment is typically far more sensitive to some of the techniques that are used within monitoring IT systems. Responders must be able to coordinate appropriately with the subject matter professional internally and externally. Proper communication between the internal and external subject matter professional is key, and having hard conversations about business priorities and technical requirements is essential to be able to recover an industrial network. Many times, you have an incident happen within OT that actually originated in IT, so it also requires the bridging of that unified incident response plan. They cannot always work in silos.
Q: From an IRR perspective, how can the 1898 & Co. team be proficient enough to respond to so many different industries?
A: It is important to know that each team member is not knowledgeable in everything. This paves the way for reaching out to resources. From an onboarding perspective, it is critical to do a thorough process to be able to get a full understanding and appreciation for the client’s unique production setup.
1898 & Co. is also a part of Burns & McDonnell, and the company has been in the architectural engineering industry for over 125 years. So, we are fortunate enough to have a vast amount of information and specialists who are a button away and can answer any questions we might have about a particular industry.
Q: Since you mentioned onboarding clients, can you speak about the importance of onboarding and how the lack of onboarding prior to an incident can affect the way you approach your response?
A: The onboarding component is key because if you haven’t gone through the onboarding process, the response team is essentially going in cold. There are multiple times when the person responsible for the response has gone in without actual asset lists or network typologies of a customer’s environment. And though the response team is successful, it takes time to gather all this information and awareness of the client’s environment. In this instance, the onboarding is actually happening during the incident response. It is not impossible to do, but it delays the effectiveness of your incident response activities, so containment is drawn out further. You may be able to identify the systems that are affected quite rapidly. But it would be very difficult to be able to identify the attack path that made its way into your system, fully contain it, and then proceed to the recovery phase.
On that note, if you have a recovery plan, it is essential that you make backups of your system. You will also need to exercise these backups; otherwise, they are just files. It would be ideal to try to recover your backups at least once a quarter. This allows you to see any kind of kinks within recovery are worked out in case an attack does happen and you need to recover your files.
Continuous monitoring, regular security assessments and training on response plans are pivotal proactive measures to protect your assets during the rise of cyberattacks. Learn more about incident response retainers and how 1898 & Co. approaches cyberattacks and threat protection.
