Recover
We all know fraud sucks, and if you have been involved in an incident you know how disruptive and gut wrenching it can be. While it is tempting to call it a day after mitigating the incident and completing all the steps in responding to the incident, it is important to also complete the recovery step. This last step can help you and your business learn from the incident and prevent it from happening again.
The recovery phase of incident response can vary widely depending on the type of incident involved. Below are the key steps that should be included in the recovery phase.
Resource: Fight Fraud Respond and Recover Templates
1. Payments Assessment
- Assess the security and integrity of all systems and processes involved in the processing of transactions.
- Begin with how you or the business contracts with customers, vendors, and services for payment.
- Determine how changes to payment information are verified and authorized, the types and methods for payment you accept, and what the controls are to secure the accounts and transactions for processing of payments.
- Examples can include the review of authentication controls, transactional rights of users, dual approval controls, and the rights of users within online banking.
- The assessment should be aimed to identify any vulnerabilities or weaknesses contributing to the original incident.
2. User Access Management
- Re-establish user access rights and permissions. The Incident Response Step focuses on the compromised user accounts involved in the fraud. The Recovery Step takes it a step further to look at all user accounts accessing the system. This can involve re-defining the rights and permissions of all users individually or based on their role within your business.
- The goal is to provide users with just enough privileges and access to perform their work and no more.
- If you have identified any pre-existing weaknesses in these controls from Step 1, implement strong access controls to prevent future unauthorized access or transactions (review the controls in the Protect Section of Fight Fraud).
3. Documentation and Change Management
- Implement change management processes to track and verify changes to your accounts, security controls, user rights, and permissions.
- Change management processes ensure all changes to your accounts are authorized and enable you to modify or roll back any changes causing a negative impact to you or your business.
- Maintain detailed records of recovery efforts including actions taken, changes made, and outcomes.
4. Communication and Public Relations
- Some Fraud or Business Email Compromise (BEC) scenarios can have significant and long-lasting impacts on a business. As such, you may need to communicate with stakeholders, customers, and the public as necessary to update them on the incident and recovery progress.
- Depending on the nature of the incident, it may be necessary to communicate information about the incident prior to the Recovery Step being completed. Be aware that these communications may contain inaccuracies as not all the details may be available at the time.
- To ensure a consistent message is being conveyed to all stakeholders, designate an individual to be responsible for all communications and questions.
- Manage the organization's reputation and brand during the Recovery Process. This can include increased monitoring of social media and any reports in the media.
5. Test, Validate, and Monitor
- For all newly implemented controls and processes, it is important to test and validate they are functioning correctly. This can include verifying staff follows any new procedures for adding or updating payment details or dual approvals are working as intended.
- Implement enhanced monitoring and continuous assessment to detect any signs of recurring incidents or new vulnerabilities. This can include testing of alerts to ensure you are receiving the expected notification based on the trigger of the alert such as being notified regarding any processed payroll file or attempts to use the forgot password process.
6. Post-Incident Review
- Conduct a thorough Post-Incident Review to assess the effectiveness of the Recovery Process, plans used, and identify areas for improvement.
- Key Questions to Consider in the Post-Incident Review:
- What were the root causes of the incident and any incident response issues?
- Could the incident have been prevented? How?
- What worked well in the response to the incident?
- How can our response be improved for future incidents?
- Learn from the experience, educate staff about the details of the incident, and take steps to better protect yourself and your business. If you are up to it, this would also be a good opportunity to share your experience and what you have learned with others.
- Stay abreast of and educate yourself about common online fraud techniques and how to avoid them (refer to the Identify Section of Fight Fraud).
7. Updates to Policies and Procedures
- Train staff on any new policies and procedures, taking the time to explain the importance of the changes.
- Finally, take everything you have learned from the incident to revise incident response policies, procedures, and security controls.