An incident response plan is defined as the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit the consequences of malicious cyber-attacks or an organization’s information systems. In shorter, simpler terms, it’s the written plan your team has to respond to specific problems with your IT systems.
There are always scenes from our favorite TV shows and movies that connect to real life with us, but few mirror today’s topic better than Dwight’s massive overreaction on The Office. After being ignored about his fire incident response plan, he foolishly creates a fake fire that scares the entire office into a massive panic. Lots of laughs, lots of fun.
Dwight’s incident, the fire, needed a better plan. And as far as your business is concerned, this kind of panic-inducing drill – and this should probably go without saying but just in case – should never be anywhere near your IT department, or anywhere else.
Approved by CTOs typically, incident response plans, or IRPs for short, ensure that your team's response is as effective as possible. These kinds of plans are necessary to minimize damage caused by external cyber threats like data loss, abuse of resources, and the loss of customer trust
Why do you need an Incident Response Plan?
If your business hasn’t been the subject of a digital break-in attempt yet, the likelihood that it will be at some point is very high. The Accenture State of Cyber Resilience Study showed that a typical organization experiences an average of 230 security incidents per year. Now that may not be how many incidents your business has on its books, but as an average, the numbers are pretty stark.
An incident response plan is initiated when a break-in occurs, or at the very least it is deployed when a suspected break-in is occurring. However, according to IBM's Cyber Resilient Organization Study, only 26% of organizations have a cyber security incident response plan.
How does an Incident Response Plan help?
Regardless of how you solve the problem – and we’ll get into that shortly – the response plan you have to each incident can literally be the difference between staying in business and shuttering your doors. The good news is, IRPs aid your business more than just acting as a north star, namely:
- Data Protection — Securing backups, ensuring sufficient identity and access management, and timely patching of vulnerabilities.
- Reputation Reinforcement — Effective incident response shows a brand’s commitment to security and privacy, and can save a company’s reputation in the event of a breach.
- Cost Reduction — A study by IBM found the average cost of a breach is $4.35 million. Incident response planning can significantly reduce this cost by limiting the damage caused by an attack.
What does an Incident Response Plan look like?
Every incident response plan is going to be different because every scenario is unique to the organization and its key stakeholders. But just like every time we say “this is unique to your business” there are exceptions, namely six steps to effectively handle security incidents:
Perform a risk assessment that prioritizes security issues. Identify which are the most sensitive assets and which critical security incidents the team should focus on. Create a communication plan, document roles, responsibilities, and processes, and recruit members to the Cyber Incident Response Team (CIRT).
No matter what it is that’s going on in your system, your team should be able to identify when there’s a deviation in normal day-to-day operations and document the “Who, What, Where, Why, and How” as threats develop in real time.
Once your team has identified a security incident, the immediate goal is to contain the incident and prevent further damage in both the short and long term, using specifically tailored responses for each.
After the team has identified the root cause of the breach or attack, they should delete all malware and threats to prevent similar attacks in the future, patching vulnerabilities along the way.
There are few topics we’ve discussed less than the recovery step – downtime means dollars. Your CIRT should be able to bring all necessary systems back online while rebooting from a very recent save point.
No less than two weeks from the incident, gather the CIRT team to debrief about what happened and how it has been prevented from happening in the future.
If you are looking for specific plans and templates, this blog from Exabeam has an entire section dedicated to that. If you have an MSP or IT support, reach out to them to see if part of their service offering is to help create IRPs.
How do I develop an Incident Response Plan?
So you’re well aware at this point about why a response plan is important. In fact, you likely already have response plans on the books... at least, we hope so. But you may be unfamiliar with the production, from conception to finalization, of a proper IRP. If you are anxious to start writing one out, below is a step-by-step list to get you started.
- Decide what’s critical on your network
As we mentioned in the Recover step above, your team should already have a robust recovery system in place full of plenty of backups. If not, click here and read this before coming back. Anyway, this will determine what’s critical on your network and, in turn, what needs a plan for protection.
- Find, expose, and fix single points of failure
Do you have a Plan B for your software, hardware, networks, etc? Single points of failure can expose your network when an incident strikes. Address them with redundancies or software failover features. And do the same with your team – if someone can’t be there to fix a problem, find an understudy.
- Develop a system for working continuity
In the event your team can’t work in a normal way, like a natural disaster preventing them from gathering for normal work hours, they should be able to work remotely, for instance, and seamlessly continue their jobs.
- Draw up your IRP
Finally, it’s here! Draw up a formal incident response plan, and make sure that everyone, at all levels in the company, understands their roles. An incident response plan often includes:
- A list of roles and responsibilities for the incident response team members
- A business continuity plan
- A summary of the tools, technologies, and physical resources that must be in place
- A list of critical network and data recovery processes.
- Communications, both internal and external.
- Train your staff to respond
They say the best laid plans of mice and men, or whatever, but the reality is a solidly trained team is what is standing between your business and a major problem. Get them up to speed and trained so they can response quickly and effectively!
Business Continuity vs. Disaster Recovery vs. Incident Response
While these terms overlap a whole bunch, they are actually separate and should be treated as such. The short answer is Incident Response is the whole process of identification, eradication, recovery, and more, while business continuity is the way to get your business back up and running after something, a disaster or accident, happened.
Incident Response Plans may seem like a redundant or extraneous step to some, but the reality is they’re incredibly critical to preserving your business. Plans are complex, but with a cyber incident response team at the helm, your chances of mitigating the fallout that can come from breaches and cyber security attacks is maximized!