Science & Technology

How to prepare your team to address critical security issues

Technical knowledge is required when working to resolve security issues. A team with a wide range of expertise is invaluable.

Images and checklist: Andy Wolber / Tech Republic

Last year, some people asked me some versions of the question: “What should we do when there is a cyberattack or security issue?” My first instinct was “Log Suggest technical actions such as “check files”, “disconnect device from network”, “depend on backup”. Also, I would like to ask you the details, “What kind of problem is it? Ransomware?? Pwned password? Corrupted website? Did you access the database? Are the files shared improperly? NS DNS issues?? “My technician wants to troubleshoot the problem.

look: Security Incident Response Policy (TechRepublic Premium)

However, technical troubleshooting only resolves a small percentage of security issues. Customer concerns, potential legal implications, and public opinion can also affect how an organization recovers in the long term after an incident. Therefore, rather than focusing solely on technology, we recommend that organizational leaders ensure that all five of these items are addressed as part of their incident response planning efforts:

1. Identify the team

Ideally, identify the key members of the response team long before they need to meet. Depending on the nature of your organization, this team may include people with expertise in the following areas:

  • Technology (IT and security expertise),
  • Legal (lawyer or law enforcement),
  • Operations (employees),
  • Decision-making roles (executives and, in some cases, board members), and
  • Communication (media / staff / customer communication) specialists.

Some organizations, such as banks and data centers, may also require someone with physical security expertise.

Try to keep the number of people involved as small as possible. Make sure that people with expertise in each of the above five areas are on the team, regardless of the size of the organization.

2. Maintain an administrator access list

To reduce the time required for access, make sure to maintain an accurate and up-to-date list of users with administrator access to critical systems. These systems include identity and access control systems, communication systems (eg, for example. Microsoft 365, Google Workspace, telephone systems, etc.), databases (eg, talent, customer / client databases), financial systems (eg, salaries, expenses, accounting, etc.), websites, social media (eg, Facebook, Twitter, etc.), and Core network components (servers, routers, firewalls, etc.). Unfortunately, I often saw inexperienced response teams struggling to gain admin access.

3. Select a communication channel

Normal communication methods may not work in an emergency, so identify a set of high-priority methods that your response team may communicate with. For example, the list includes your organization’s standard email, chat, and video conferencing tools (Gmail, Google Chat, Meet, etc.), alternative email addresses, phone numbers (mobile phone numbers, etc.), conference calls, or chat services. (Example:, signal, element). If most alternative communications are not available, the team may agree to meet in person at a particular location and time.

look: Three emergency communication solutions to implement now (TechRepublic)

4. Discuss the convocation conditions

As a team, discuss thresholds for issues that are worth convening a response team. There are some serious issues, such as website outages, but they may not be worth activating the incident response team. In general, I tend to encourage organizations to allow members of the corresponding team to convene groups. Perhaps the members of the team are experienced, wise and judgmental people who will not call the meeting unless the situation is appropriate. (If not, you’ll need to rethink your team’s structure.) Normally, all you need to do to convene a group is a message to the group through a defined channel.

5. Communicate while working on the problem

Maintain communication between group members and with appropriate other stakeholders as the team works to resolve the issue. Those other parties may be employees, customers, board members, media members, or the general public. As a group, be sure to specify the next time the group will meet before ending the meeting. Similarly, when you contact the outside world about an issue, identify when the next update will be available.

How did your organization prepare?

Has your organization identified a security incident response team? What method do you use to maintain your current administrator access list? Which communication channel did you select or use? Are there any additional steps I recommend that your organization take to prepare you to address potential security issues? Comments below or Twitter (@awolber).

See also



How to prepare your team to address critical security issues

https://www.techrepublic.com/article/how-to-prepare-your-team-to-address-a-significant-security-issue/#ftag=RSS56d97e7 How to prepare your team to address critical security issues

Back to top button