It is well known and accepted that it’s not a matter of whether a company gets breached but rather when (if it’s not already occurred). A staggering number of companies have experienced a breach, and a lot of the time many don’t even know that they have. The other likelihood is that many do not know how to deal with the incident. To avoid panic, it is an excellent idea to develop an incident response plan. Being ready for an incident is a better approach than scrambling to react when your system is breached. Knowing how to respond at a time when the organization is vulnerable is not only sensible but acts as a lifeline for many.
Where an organization has a plan, it can quickly react in a coordinated manner at the time of an incident. Everyone knows their place and how to prioritize their actions. The team knows what to do, what the priorities are, and the panic is less. Where a response plan is not in place, it’s often a very different situation — a chaotic approach. In trying to resolve the unraveling issues, everything is thrown at the problem (unnecessarily) — money and people. Incidents can be dealt with more effectively if a plan is in place and an organized and professional team is ready and on hand to assist.
Remember… when you fail to plan, you plan to fail, so it’s best to get your incident response plan sorted out as soon as possible.
Steps to create an incident response plan
Create an incident response plan document
Create an incident response plan document and make it accessible to all who will need it. Ensure it’s available as a hard copy and as an offline version so that in the event of an incident the people that need the details can obtain them easily and swiftly. As this document is likely to contain sensitive information store it securely.
Form an incident response team
The document should define the team members with their roles and responsibilities — who is responsible for what at the time of response, including the people’s names and contact details. This list should also include the external parties that will need to be involved in the response, such as the authorities, the cyber-insurance company, and the forensics team (internal and external). Also, the contact details of other relevant parties, including any cybersecurity company partner, the antivirus, antimalware company, must be listed in the document. When there is an urgent situation, a rapid response is possible, and all the information you will need to respond and act will be at the team’s fingertips.
Conduct an incident threat analysis
It’s important to conduct a threat analysis to identify the risk of an incident occurring. After that, certain potential incidents can be prioritized so the respective people and resources for the severity of the incident will be available as required. Below is an example of an elementary illustrative list to demonstrate the type of information to include.
- Priority 1: (immediate action required)
A major incident is affecting the whole company. The company is down and has an incident relating to access control, confidentiality, integrity, and availability. For example, this could include ransomware, a total outage, a data leak, a DDoS attack.
- Priority 2: (immediate action but limited team required)
A significant incident is affecting some entities but not the whole company. The company is partially down and has an incident relating to access control, confidentiality, integrity, and availability.
- Priority 3: (action required)
An incident is affecting the company. The company is experiencing a cyber-incident relating to access control, confidentiality, integrity, and availability.
Create quick-response guidelines for different scenarios
These guidelines and response actions are used to test scenarios. The scenarios must include common issues but, more importantly, should be updated with current threat landscape scenarios in the form of a tabletop exercise that involves the entire company in incident response. This type of testing will provide multiple advantages. It will test the plan (end-to-end) and will assist in improving the response to the incident. It will identify the people required to deal with the incident and ensure that robust procedures are in place that keeps evolving and is being optimized and updated to deal with the incidents.
A summary of the plan that is easily digestible and in the form of a picture, wherever possible, so that people can understand and follow the steps to access, isolate and resolve the incident, is required. A list of the potential incidents that can occur and the worked-out steps to resolve each incident is also helpful to save on time when responding to the incident.
Outline a plan for external notification
One of the often-forgotten items that need to form part of the plan is how to deal with external parties.
Entities like:
- Key suppliers
- Customers
- The media
- The authorities
- Employees (especially those who are remote)
- Branch offices
- Compliance and regulatory bodies
This part of the response plan should form part of the communication plan when dealing with the incident and when responding. If the incident is significant and will impact any of these, canned messages that have already been carefully written outlining how to deal with the incident should be ready to send with few adjustments. This will help to remove the pressure from the team, keep people informed and ensure that pre-approval from the internal authorized parties to issue communications swiftly is available. If this communication plan is not in place, on many occasions when an incident occurs, the response will be poor. In addition, how the incident is dealt with will reflect poorly on the team and company due to lack of preparation.
Communicate your plan to employees
Before an incident occurs, it’s useful to communicate the plan to the internal team. The employees will appreciate it, and knowing the process upfront will help with swift remediation and lessen the pressure. This will also reduce the likelihood of kneejerk reactions and ensure that money is well spent on remediation and not on random solutions during and after the incident.
Train, practice, and repeat
Practice helps in understanding where the organization is weak in responding. Once practice has been undertaken internally, it’s a good idea to have an external party lead the practice to ensure that nothing is missed and that the plan is reinforced and seen from another perspective. This exercise should identify any deficiencies and strengthen the plan for swift remediation. Moreover, your organization can use the exercise to train the staff and run through the drill if you need to remediate an incident.
Learn from past mistakes
A step often left out, which is important and adds value, is the lessons learned and how this can improve the plan. This continuous improvement action should capture what was learned during the exercise and potentially during a recovery. It drives collaboration and discussion to improve the process and lessens the stress of an incident so that it can be dealt with more optimally the next time.
Get planning…
An incident response plan that is practiced, communicated, and tested will reduce the impact internally and enable the organization to respond effectively and improve the remediation processes all around. An incident response plan is not only best practice, but this administrative control will ensure that you and your team can defend your company more effectively.
Featured image: Shutterstock
