When a worker is injured on the job, there should be an incident response plan in place. The same is true when responding to a cyber-attack. According to an IBM survey, an Incident Response Plan lowered the financial impact of an attack by 10%. So what does an Incident Response Plan include?
1. Assign clear responsibilities
Start with who should oversee the creation of the incident response plan. Whether it’s the CIO or someone else, they’re going to need to inform all the relevant stakeholders, gather input, and assign roles. You may also need the participation of senior management, attorneys, human resources, regulatory bodies, law enforcement, cyber consultants, and maybe a PR firm. There are many moving parts to coordinate if you want to ensure that incidents are dealt with quickly and efficiently.
2. Define your risk tolerance
There’s no one size fits all answer here. You must work out what is critical data, what key functionality your company requires to do business, and prioritize your efforts to focus them in the right places. In the wake of a cyber-attack, there’s almost always downtime. Think about the cost of being down for a day and triple it.
3. Classify events
When an incident develops, you need to be able to classify it so that you know precisely what action to take. Some categories to think about are Data loss, Disk failure, Malware, Ransomware, Wire transfer fraud, unauthorized access, etc.
Classifying risks allows you to prioritize them, but each incident should also be fully documented so you have a basis for investigation and audit should it be required in the future.
4. Set explicit instructions
With a system in place to uncover and classify incidents, you can set clear procedures that enumerate in detail what every person involved in an incident should do. This starts with the rules on reporting but includes everything from fixed time scales for investigation to the steps needed to remediate the problem. Having clear procedures in place removes room for doubt or bad decision making.
View the explicit instructions that you draft as part of your procedures as living documents. They are simply your best guess right now at how to uncover and contain an incident.
5. Prioritize eradication and recovery
As part of working out your risk tolerance, you’ve identified critical systems. These critical systems that enable your business to run should be fully backed up, so you can get them up and running again swiftly. For the rest of your business functions, you need to perform a kind of triage to work out the right order for eradication and recovery.
It’s also very important to isolate the infected business units and make sure that stakeholders are kept in the loop on realistic recovery time. When it comes to restoring normal operations, bear in mind that you must know what a normal state looks like. If you haven’t documented that beforehand, then you may struggle at this stage.
6. Learn from every incident
The incident response plan is not written in stone and every incident is a learning opportunity. Once it has been dealt with, confirm the root cause, analyze, document, measure, and retest. Assess the incident response procedure used and how it was carried out. This process enables you to make recommendations for better future response and prevention of a reoccurrence.
If you use incident analysis to find flaws or deficiencies in your detection, notification procedure, containment, eradication, or any other part of the process, then you can use that information to strengthen your incident response plan. It’s a system for continuous improvement that will significantly boost your security over time.
Ultimately, security incidents are inevitable and beyond your control to an extent, but how you react to them is entirely up to you.
Need help with your incident response plan? Give me a call. 505-819-5471