Security 911: 5 Ways To Prep for Customer Panic Before It Hits
Customer security incidents can arise from many different events: a lost or stolen device, a ransomware attack, a data-breach notification from a trusted third party. No matter the source, the first point of contact will often be the IT service provider’s or MSP’s customer-facing help desk or onsite resource.
That “something’s wrong” call can come in at any time.
For a service provider’s front-line contact, the pressure can be considerable, especially when the customer is in near hysterics. It’s vital, however, that staffers follow a proper process. Just like police or fire paramedics responding to a call, information needs to be rapidly acquired and documented so your team can make the right assessment as to the appropriate response. Overreaction can cause additional stress and a misallocation of resources. Under-react and you might be accused of “not caring” about your customer. In most cases, the front-line responder has a short period of time to determine the right course of action.
There are proven strategies and an abundance of resources on the internet about how to manage a security incident; unfortunately, many of them fail to address potential complications that may arise between an IT service provider or MSP and the customer — especially in a time of crisis.
What can be considered an absolute truth is a security incident at a customer site has the potential to damage the service provider’s business relationship. As crass as it might sound, documentation becomes even more critical if a series of unfortunate incidents results in accusations of negligence from the customer and a potential of litigation. This documentation should cover five areas:
- Preparation: The expression “forewarned is forearmed” originated as a Latin proverb and is perhaps the most succinct way of explaining why planning is crucial. The odds are good that a security incident will happen at a customer’s site. Thinking about the various threats and risks and preparing for the most likely significantly reduces the chances of a poor response. Anticipating a lost or stolen device, a ransomware attack, a data-breach notification or a significant Internet outage – physical or DDOS – will set the stage for a professional response from front-line staff.
- Detection/Identification: Not all security incidents are straightforward situations; some might not even require an immediate response. When a call comes in to the help desk, the handler should ask a number of questions to determine if an actual security incident is unfolding. Some incidents are clear cut: Ransomware is a classic example. A lost or stolen device, however, might turn up at some point in the near future. It’s important to gather all the information available into the service ticket. Engaging a manager or supervisor is usually advisable when the call handler is reasonably certain a security incident is occurring — declare the security incident and raise the priority of the ticket appropriately.
- Analysis/Communication: Gaining a clear picture of what is going on from a phone call or email, from panicky and perhaps non-technical customers, might be difficult. Consulting the remote monitoring and management system, customer documentation, network details and security tools could yield valuable details. Perhaps an invoice was unpaid, and a customer was cut off from a vital service, or the internet-facing IP address of the customer has had its reputation lowered due to a misconfiguration. Any number of non-malicious options need to be explored because all too frequently, a “security incident” turns out to be a human mistake.
- Containment/Fix: Whether malicious or error, resolving the incident successfully should be the focus of all involved. If ransomware has broken out, taking systems offline or segmenting the infected systems from spreading might be immediate actions to take. A customer concerned they clicked on a malicious link might need a deep antivirus scan and/or network layer analysis to see if there are indications of compromise on the workstation. The steps taken to contain or resolve the incident should be put in the service ticket in detail, along with clear and accurate time recording from the start to the end of the security incident.
- Lessons Learned: This is perhaps the most critical part of your response. Security incidents are bad for customers and bad for IT service providers and MSPs — they can put your firm’s reputation at stake. Customer experience matters. Analysis of the security incident might identify proactive steps that you can take to prevent future problems. Steps from end-user security training to adding new technology, such as application whitelisting in the case of ransomware attack, might reduce the likelihood of a future security incident. There might even be a project opportunity for your company in the fast-growing security services market.
For the IT service provider or MSP, the need to emphasize process, documentation and timekeeping cannot be overstated. For larger MSPs, there might be a number of security incidents in various stages unfolding at multiple customer sites — triaging and responding is time- and labor-intensive. When thinking about creating an incident-response plan, think about how to scale the response with the resources you have. You might need to partner with a firm to handle more than one security incident at a time, or at the very least, have one on call.
Ian Thornton-Trump, CD, CEH, CNDA, CSA+, is an ITIL-certified IT professional with 20 years of experience in IT security and information technology and a cybersecurity consultant with Harmony PSA. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. In Canada, Octopi Managed Services Inc. delivers managed security services to high profile legal firms and in the U.K., Octopi Research Labs Ltd. undertakes security consulting and threat intelligence engagements. As the Cyber Vulnerability and Threat Hunting Team Manager for Ladbrokes Coral Group plc., Ian has an in-depth understanding of the threats small, medium and enterprise businesses face on a daily basis.