Incident Response & Recovery

Essential defense layers:

1. Physical security: Locked doors, secure workstations, visitor controls
2. Network security: Firewalls, secure WiFi, network segmentation
3. Endpoint protection: Antivirus, device encryption, software updates
4. Email security: Spam filters, phishing protection, attachment scanning
5. Access controls: Strong passwords, multi-factor authentication, user permissions
6. Data protection: Encryption, backups, data classification
7. Staff training: Security awareness, incident reporting, verification procedures

Why layered defense works:

If criminals get past your email filters, they still face strong passwords. If they guess a password, they still need to bypass multi-factor authentication. Each layer makes it harder for attacks to succeed.

Example: A phishing email gets through your spam filter, but your trained employee recognises it as suspicious and reports it instead of clicking the link.

Phase 1: Preparation

What to do before anything happens:

• Create contact lists for IT support, cyber insurance, bank, and key customers
• Document your critical systems and how to shut them down safely
• Set up monitoring and backup systems
• Train your team on what to do if they spot something suspicious
• Test your incident response plan annually

Phase 2: Identification

How to spot when something is wrong:

• Unusual computer behavior (slow performance, pop-ups, crashes)
• Suspicious emails or phone calls
• Unexpected system alerts or error messages
• Reports from staff about strange activity
• Alerts from security software or monitoring tools

Phase 3: Containment

Stop the problem from spreading:

• Disconnect affected devices from the network immediately
• Change passwords for compromised accounts
• Isolate infected systems
• Block suspicious network traffic
• Take photos of error messages or suspicious activity

Phase 4: Eradication

Remove the threat completely:

• Run antivirus scans on all systems
• Remove malware and infected files
• Patch security vulnerabilities that were exploited
• Update security software and definitions
• Verify that the threat is completely removed

Phase 5: Recovery

Get back to normal operations:

• Restore systems from clean backups
• Gradually reconnect systems to the network
• Monitor for signs of continued compromise
• Update security measures based on what you learned
• Communicate with customers and stakeholders as needed

Essential planning elements:

1. Response team roles: Who makes decisions, who handles technical issues, who talks to customers
2. Communication plan: How to reach team members, customers, and vendors during an incident
3. Critical system inventory: List of your most important systems and how to protect them
4. Contact information: IT support, cyber insurance, legal counsel, key suppliers
5. Recovery procedures: Step by step instructions for restoring operations
6. Business continuity: How to keep essential operations running during incidents

Recovery and business continuity:

1. Backup verification: Regularly test that your backups actually work
2. Alternative procedures: Manual processes for when computer systems are down
3. Remote work capabilities: How staff can work from home during office disruptions
4. Vendor relationships: Agreements with IT support and recovery services
5. Insurance claims: Documentation needed for cyber insurance claims
6. Customer communication: Templates for notifying customers about incidents

Ransomware attack:

Immediate actions:

• Disconnect all systems from the network
• Don't pay the ransom, contact law enforcement
• Check if your backups are clean and available
• Call your cyber insurance provider
• Document everything with photos and screenshots

Data breach:

Immediate actions:

• Contain the breach by securing compromised systems
• Assess what data was accessed or stolen
• Contact legal counsel about notification requirements
• Prepare communications for affected customers
• Report to relevant authorities if required

Email compromise:

Immediate actions:

• Change passwords for affected email accounts
• Check sent items for malicious emails
• Warn contacts about potential fake emails
• Review email rules and forwarding settings
• Enable additional security features

System outage:

Immediate actions:

• Determine if outage is from attack or technical failure
• Activate backup systems if available
• Implement manual procedures for critical processes
• Communicate with customers about service disruption
• Document timeline and impact for insurance claims

What happened: A Sydney accounting firm received a convincing phishing email that bypassed their email filters. One staff member clicked the link and entered their password on a fake website.

How defense in depth helped: The attacker gained access to the email account but couldn't access client files because of multi-factor authentication, network segmentation, and limited user permissions.

Incident response: The firm quickly identified the compromise through monitoring alerts, contained it by changing passwords, and recovered by restoring the affected account from backup.

Result: What could have been a major data breach was limited to one email account being compromised for a few hours.

Lessons learned: Multiple security layers and a tested incident response plan prevented catastrophic damage.

Source: ACSC Small Business Cyber Security Guide

Learning from incidents:

1. Conduct incident review: What happened, what worked, what didn't
2. Update security measures: Fix vulnerabilities that were exploited
3. Improve response procedures: Update your incident response plan
4. Enhance training: Educate staff about new threats and procedures
5. Review insurance coverage: Ensure adequate protection for future incidents
6. Strengthen defenses: Add additional security layers where needed

Documentation and reporting:

• Incident timeline: Detailed record of what happened and when
• Response actions: What steps were taken and by whom
• Financial impact: Costs of the incident and recovery
• Lessons learned: What improvements will be made
• Regulatory reporting: Required notifications to authorities
• Insurance claims: Documentation needed for claims processing

Emergency contact list:

• IT support: Technical assistance and system recovery
• Cyber insurance: Claims reporting and coverage verification
• Legal counsel: Regulatory compliance and liability advice
• Bank: Account monitoring and fraud prevention
• Key suppliers: Critical vendor relationships
• Customer service: Communication and reputation management

Government resources:

• Australian Cyber Security Centre: 1300 292 371
• ReportCyber: cyber.gov.au/report
• ACORN (cybercrime reporting): acorn.gov.au
• Office of the Australian Information Commissioner: For privacy breaches