The crucial steps to ensure your Cyber Incident Response plan will work

You toil tirelessly to protect your company from cyber security threats but with an average of 686,961 attempts made on businesses in the UK in 2020 to breach their systems online, we must accept that at least one could be successful. In this event, it’s crucial that you have an incident response plan that can be activated as soon as a breach is identified to mitigate the damage it could cause. In this article, with the help of expert Chris Basnett, Head of Response Services at MDSec, we’ll walk you through what you must think about to create a plan that best fits your company’s needs. You cannot afford to wait until a breach happens, you must prepare now.

 

Let’s start by explaining what we mean by a cyber incident response plan.

 

What is a cyber incident response plan and why it is so vital for a business?

Founder of RankedRight, Thomas MacKenzie (TM): Any business with valuable information to protect must have a response plan in place that sets out the steps it will take to respond to a breach. This can include who takes charge of the operation, which backup systems and procedures will be put in place, as well as who should be contacted e.g. crisis comms consultants and insurers to law enforcement and customers. 

 

Chris Basnett (CB): Yes and it’s vital to a business for multiple reasons, but most fundamentally, without this process, responding to an incident can become significantly more stressful than it needs to be and ultimately typically results in a greater impact to the business, be it in terms of incident timespan or additional cost.

 

Every business regardless of size has a lot to lose in the event of a cyberattack, but small and medium-sized enterprises are less likely to have the resources that larger firms will to support in incident response. In fact, getting experts in to support the development of an incident response plan may be too costly for some businesses…

 

What are the most important things to consider if building a cyber incident response plan yourself for the first time?

CB: You have to consider the requirements and risk that you have as a business. I’m a firm believer that one size doesn’t fit all. 

 

Try to keep it simple and specific, especially for a smaller business with limited team bandwidth. Some core questions to ask yourselves:

  • What is the data that I hold and why does it matter?
  • Who would I need to tell if I did suffer a breach/incident? Are there any deadlines for notification (think GDPR)?
  • Who internally is going to lead the response effort, who is accountable for any data loss?
  • What are the core steps I’ll need to take to recover?

 

TM: By listing all the possible incidents that could happen, along with likelihood and impact, you can try to cover as many scenarios as possible. And don’t rule out the likelihood of experiencing multiple high-impact incidents at once. This can seem like a lot of information to manage but keeping on top of the vulnerabilities your business systems have via a tool like RankedRight will make part of the process easier.

 

Who should be involved in the plan-building process and why?

CB: Consider the key stakeholders, key decision makers and those ultimately accountable if worse comes to worst.

 

How often should you review your Incident Response plan?

TM: This type of plan is not a set it and forget it thing. The types and severity of attacks is forever changing and you need to ensure you keep a check of your plan to ensure it covers every eventuality, as well as changes in systems, regulations and more. 

 

CB: I like to think of an Incident Response plan as a “living document” which gets added to over time. That being said; quite often when I’m reviewing plans for our customers, they have hugely in depth, complicated documents that have grown over time and that ultimately get ignored. 

 

Keep it relevant, appropriate and simple, especially for smaller organisations. Make sure the information is up-to-date too. I personally don’t like including specific individuals within a plan as it just makes it more difficult to maintain; stick to roles where possible. And make sure you have clear version control so you don’t have multiple copies with differing information!

 

How should such a plan be stored?

TM: It’s crucial that it’s easily accessible – the last thing you want to be doing in the event of a breach is spending valuable minutes (or even hours) hunting through folders for the plan. It might even be that your plan is saved on a system that as a result of the breach is no longer accessible.

 

CB: Exactly, that is why I recommend holding hard copies of the plan.

 

Anything else?

CB: Keep it simple and specific for your business needs. The most effective plans are the ones that can be followed easily. 

 

TM: Yes and on that note, it needs clear lines of communication – this is key when creating an incident response plan. The information needs to be as streamlined as possible and the lines of communication need to go up the chain of command all the way to the board.

 

CB: Also, make sure you test the plan against all scenarios to ensure that it is appropriate and functional, just like you would a fire drill.  If you don’t actually test an emergency plan, how will you know whether or not it works? Getting together at regular intervals to work out what would happen in the event of a real incident can help your business hone its response and make sure everyone knows what they’re expected to do and when. RACI matrices are hugely helpful during an Incident, so consider adding one to the plan. 

 

Finally, technical playbooks don’t belong in an Incident Response Plan but should be referenced. 

 

Creating a cyber incident response plan is vital for any business. As much as it may seem like there’s too much cybersecurity work to do as it is, the simple act of having a plan could save your business from losing weeks or months’ worth of work and customer data in just seconds.