Despite the frequency of cyber attacks in recent years, most businesses lack an incident response plan (IRP) that outlines what steps to take and who is responsible for the response following a security breach. As many as 75 percent of companies have no IRP in place, according to the Ponemon Institute.
And that’s a problem. Without an IRP, it’s hard to minimize the damage of a security breach if you’re unclear on what to do. Businesses can lose precious time trying to figure out what actions to take. Some malware infections spread at lightning speed once a network has been breached. And as we saw in May 2017 with the WannaCry ransomware outbreak, infections can cross country borders and hop between continents in a matter of hours.
Having an IRP prepares a business, no matter how large or small, to deal with the unexpected. Trying to come up with a response plan after an incident occurs is already too late. IRPs prescribe the steps following an incident, who is responsible for what step, whom to notify and how to resume operations as quickly as possible. Remember, cybersecurity experts warn that for most businesses, a cyber attack isn’t a matter of if but when.
A response should be tailored to each company’s specific needs and circumstances, which means no two plans are exactly alike. But there are some fundamental components that each plan should include:
1. Build a Cross-functional Team
Responding to a security breach involves more than the people in charge of IT and cybersecurity. Technical staff are usually the first to spring into action following an incident as they seek to identify the problem, assess damage and start remediation, but the response also includes non-technical aspects. In addition to employees, it may be necessary to notify customers and suppliers about the breach, which means there is work to do for management and other teams such as PR, HR and legal.
2. Clarify Response Roles
Once the team is in place, every member needs to know his or her role and responsibilities, and exactly what steps to take immediately after being notified of a breach. For instance, the first steps for technical staff will be to identify and isolate infected systems and determine where the breach occurred and how far the infection has spread. Team members must be given the appropriate authority to take certain actions, such as taking a system online, following an incident.
3. Define Security Incidents
The IRP must define what constitutes an incident, how to prioritize different types of incidents and what are the appropriate steps for each type of incident. An unsuccessful hacker attack still may require some sort of response, such as updating threat intelligence tools, hardening certain systems and notifying management. The National Institute of Standards and Technology (NIST) provides guidelines on what constitutes incidents and how to prepare for them.
4. Anticipate Hackers’ Moves
Companies have systems and databases that hold intellectual property and private data such as employee medical records and Social Security numbers. A lot of businesses also handle private customer and partner information such as payment card credentials and bank account numbers. These are the types of data hackers target for theft because they can sell the information for a profit on the black market. A response plan should include an immediate check of the systems that house this data to determine if they’ve been breached.
5. Specify Procedures
To remove any doubt as to how to proceed following an incident, the plan should be detailed and clear in its prescribed steps for recovery. It should include contingencies such as having to resume operations from an alternative location, in case of damage to a building, and how to access remediation tools from remote site and mobile tools if the breach occurs after hours or when response team members are away.
6. Document and Communicate
Without proper documentation, an IRP’s effectiveness is limited. Every single action, process and procedure should be faithfully documented in clear language and shared with everyone involved in the response. All employees should receive an appropriate version of the plan, required to read it and sign an acknowledgment of the plan.
7. Test the Plan
To ensure a response plan is effective, businesses should test it periodically, drilling all relevant parties with exercises and simulations. Testing is critical because it is bound to reveal weaknesses and omissions you wouldn’t want to discover after a breach already has occurred.
A planned response to a cybersecurity incident saves valuable time when an incident occurs. Knowing exactly what to do, when and how helps to minimize the extent of the damage. With that in mind, any business that has yet to prepare an IRP should start working on one now.
Seven Steps to a Stronger CyberSecurity Stance.