Articles

Creating a Cyber Security Incident Response Plan

The number, sophistication and severity of cyber attacks is increasing, and any business handling customer data, which can be easily monetised, is a top target. A data breach will almost certainly put your reputation in jeopardy, so it's vital to be prepared to handle the incident itself, and communicate the event internally and externally. Since crisis-driven decisions will only worsen the impact, now is the time to put an incident response and disclosure plan in place for your business, and ensure everyone is aware of the resilience measures you have put in place.

Building an appropriate cyber security response plan

Tip #1: Know what you're protecting and why

Draw up a complete inventory of your IT assets, so you can see what systems and data are at greatest risk, and prioritize their protection according to how critical they are to delivering business outcomes. A business impact analysis (BIA) will help you determine what sensitive data needs defending and why. Evaluate the potential fall-out from an attack that exploits a moderate or severe security hole – that should include the costs of data loss, reputational damage, legal fees, customer abandonment and extended operational disruption.

Tip #2: Working out what's just hit you

The faster an attack is detected, the more successful your damage limitation measures. The longer it goes on, the more information can be stolen. Incidents don't generally emerge fully-formed – they tend to start off as a series of indicators. So define the parameters, severity and standards for when and how an incident is declared. Also consider how you will preserve any evidence while containing or eradicating threats.


Tip #3 Determine what needs to be done, when and by whom

Cyber security is often seen as an IT problem, so attacks tend to be addressed tactically from an IT perspective. But it is vital to include the wider business too – for example, how you will communicate the event to customers and stakeholders, or deal with legal and compliance issues. Think beyond technology to people and processes. Clearly define who is responsible for each step in your response cycle: from the technical staff who will get systems back up and recover compromised data, to the HR, legal, communications and leadership representation needed to address the broader implications. Don't forget post-incident activity and the process of getting back to business as usual.

Tip #4: Test, rinse and repeat

Your incident response plan will need to be extensively documented, tested and validated before you can determine whether it's reliable. Your response team will need to rehearse the plan through drills, desktop exercises or full-scale simulations involving all levels of the business to mimic the technical, operational, communications and strategic responses required for a real-life cyber incident. After these exercise scenarios, they should review how the plan performed and make any improvements identified. And don't forget, your plan may become stale over time so it needs to be refreshed at least annually or whenever there are any major changes to your business or IT set-up. A lack of change management is the reason most plans fail, all the while duping the business into thinking it is covered!

Tip #5: After the event

All tests reveal things that need to change to keep plans fit for purpose. Having identified the gap in your defenses, it's vital to reassess and bolster your security measures to prevent a similar breach in the future. It's also important to learn lessons from adversity, so your plan should include steps on how you will investigate the incident thoroughly, document the changes made, communicate valuable insights, and update key information, controls and processes.

Tip #6: Ask the experts

For lean, agile businesses, outsourcing your cyber security incident response capability can give you the confidence that a breach will be dealt with effectively and appropriately. Third-party services can include incident management, intrusion analysis, log analysis, forensic imaging, malware analysis, reverse engineering, mitigation advice and general guidance on best practices. You should have the option to specify the levels of response support you need, from telephone-based triage to onsite assistance. A provider with a heritage in the area of resilience and continuity will have a firm grasp of the principles of cyber incident response as a subset of their capabilities.

Read next: 5 steps to assess and mitigate cyber security risks

Learn more about our Disaster Recovery Services