Maksim Kabakou - Fotolia
Prepare for your worst day: How to create a cyber incident response plan
What goes into a good incident response plan, and what steps should security professionals take to ensure they are appropriately prepared for the almost inevitable attack, and secure buy-in from organisational leadership?
Cyber threats and cyber attacks have increased in frequency and become more sophisticated in the past few years. Industry observers see the threat landscape constantly shifting, with some kinds of attacks rising and others declining but, overall, risks are ever-present for organisations of any size, in every industry and region of the world.
Few organisations have the resources, skills, experience, and capabilities required to run a cyber security team around the clock and stay up to speed with cyber criminals who continuously change their tactics, techniques, and procedures (TTPs) to evade defences.
When experiencing a cyber attack, in addition to the immediate business disruption that organisations will face, perhaps because of their data being encrypted or their IT systems being taken offline (either by the cyber criminal, or the owner who needs to protect them), their data and intellectual property might be stolen or leaked online – even if they do pay the ransom fee demanded. This, in turn, can lead to serious reputational damage both with internal and external stakeholders and with customers and regulatory bodies – who may also penalise them with fines for not safeguarding data properly. On top of all this, fixing any damage to the IT infrastructure can take a long time and be very expensive, as can be any loss of business in the meantime.
So, time is of the essence when responding to a cyber incident. The faster an organisation acts to contain the incident and eradicate the adversary, the less damage will be done.
The good news is that all these risks can be minimised by preparing thoroughly. By planning how to respond to a cyber attack, which is often a very stressful time, you will take a lot of the worry, uncertainty and panic out of the situation if the worst does happen. Think of it the same way as preparing for any other potential emergency. You need all your team members to know their particular roles, be well drilled and communicate clearly with each other and with the organisation’s stakeholders – both internally and externally.
The basic principles apply to organisations of any size and complexity which are experiencing a crippling incident anywhere, at any time of the day or night.
Get ready to respond to an incident
Readying your organisation to respond to a cyber incident is a multi-step process, and one that must be continually adapted. Having a cyber incident response plan is one thing, but just as you need to exercise your fire escape plans, you should be exercising your incident response plans as well – and making sure people are aware of them and know what their responsibilities are during an incident. A critical step is conducting specific training for executive and board-level members. This will help them to make informed decisions to achieve their strategic business goals in the event of a cyber incident. This will also go a long way towards getting senior managers on your side and allowing them to understand the seriousness of cyber security and the consequences of failing to plan adequately for the worst possible eventuality.
There are four key phases to consider when developing your incident response processes:
- Plan. In the first phase, you’ll need to define the training, identify key stakeholders, measure your organisation’s security maturity, and identify quick wins. This is the time to establish a clear mandate with measurable objectives, key performance indicators (KPIs) and action plans.
- Get the board on board. Next, work on demystifying cyber security, adopt business-focused language, and elevate key issues to executives and the board. Spend some time identifying the benefits and opportunities that come with improved cyber resilience and embed cyber security into the organisation’s thinking and behaviour.
- Build processes and playbooks. There are several different types of cyber attack and an effective plan will enable you to prepare for them all, including business email compromise (BEC), ransomware attacks, malware attacks, insider threats, which can be just as damaging as external threats, and data loss (accidental and malicious).
- Practice. No organisation is fully prepared unless they put their plans into practice. It will pay dividends to test plans, playbooks, and teams. This valuable exercise can help with team building, allow individuals and teams to learn lessons and develop, and teach them what to be aware of to improve the organisation’s response.
By running through this whole series, you’ll quickly identify if you’re missing any of these components, where you’re weakest and need to improve planning, communication, practice drills, or all three.
It’s well-known that we’re now in an era when it’s not if but when any organisation will be hit by a cyber attack. So, it’s crucial to build the capability to respond to security breaches quickly, decisively, and effectively to minimise business disruption. And it’s equally essential to be able to get the business up and running safely and maintain the trust and confidence of internal and external stakeholders, the market and industry regulators. The adage ‘failing to plan is planning to fail’ couldn’t be truer than in incident response preparation.
Extra safety nets
If an organisation doesn’t have the skills and knowledge in-house to prepare properly then they might want to consider arranging for an incident response retainer with an external service provider. A retainer is an extra safety net in the event of a cyber incident. It can help organisations to minimise any damage, recover IT systems quickly to get their business up and running again, and maintain internal and external stakeholders’ confidence and trust.
In addition to having a cyber security partner and incident response plan, cyber insurance offers an extra safety net year-round. However, as the number of cyber incidents has increased, so has the cost of cyber insurance. Cyber insurers are increasingly asking their customers to share the expense and the risk. And while cyber insurance should cover any financial losses and legal costs, it won’t guarantee that cyber attacks don’t damage the organisation in the first place.
James Allman-Talbot is head of incident response and threat intelligence at Quorum Cyber.
The Computer Weekly Security Think Tank on incident response
- Mike Gillespie, Advent IM: Incident response planning is vulnerable to legacy thinking.
- Sam Lascelles, PA Consulting: Use existing structures to build your incident response plan.
- Jack Chapman, Egress: Incident response planning requires constant testing.
- Becky Gelder, Turnkey Consulting: Incident response plans: The difference between disaster and recovery.
- Chris McGowan, ISACA: Enhancing security: The crucial role of incident response plans.
- Theodore Wiggins, Airbus Protect: The plan for the inevitable cyber attack: Get the gist of NIST.
- Elliott Wilkes: ACDS: The best IR plans are well-revised and deeply familiar.
- Paul Lewis: Nominet: Breached? Don't panic .. if you created a robust IR plan.
- Mandy Adress, Elastic: Security incident response teams are human, too.