10 Simple Steps to A Successful Incident Response Plan

10 Simple Steps to A Successful Incident Response Plan on cyberguard360.comA well-crafted plan can be the difference between a thwarted cyber-attack – and a multi-million-dollar loss

Cybercriminals are waging war on American business, with ransomware attacks alone surpassing 4,000 a day. It’s only a matter of time until something sinister slips past the tightest defenses – and if it isn’t shut down quickly, it can have an alarming impact on a company’s bottom line.

Incident response plans give companies clear guidelines for limiting damage and reducing recovery time and costs after a cyber-attack. Unfortunately, most companies fail to take advantage of their benefits.

Nearly 80 percent of businesses do not have a formal cybersecurity incident response plan – and of those that do, only 27 percent say it is applied consistently across the company, according to a 2018 Ponemon Institute report. More than 25 percent describe their plan as “ad-hoc.”

A detailed incident response plan can be the difference between a thwarted attacker and a multimillion-dollar loss of customer data and company reputation. It can help strategically evaluate which aspects of a business pose the biggest risk – and puts tested security procedures in place before attacks happen, so companies aren’t scrambling to respond on the fly.

Several federal and state regulations – including New York’s first-in-the-nation cybersecurity law, 23 NYCRR 500 – require covered companies to create an incident response plan to protect sensitive data from cybercrime.

For a plan to work, it’s critical for its creators to truly understand what’s important to the business, outline the roles specific people should play in the response, determine how response happens now, and pinpoint what needs to change in the future. These 10 simple steps will help you build an incident response plan that can help prevent cybercrime from having a catastrophic impact on your company:

Step 1: Audit Your Assets

Consider your company’s IT infrastructure to determine which parts are most critical – and what would cause the most damage if compromised. Are there systems that could open the door to other parts of your business? What would lead to revenue loss in the event of a system failure? By obtaining a true understanding of what matters most, you can prioritize your security measures.

Step 2: Evaluate Your Risk

Take a hard look at what kinds of vulnerabilities your company faces. Are there a significant number of employees with company email accounts? Preparing for phishing schemes should be a priority. Improperly updated Wi-Fi equipment, unapproved hardware, and unsecured networks are red flags. Dig deep into the possibilities. If holes only become apparent after an attack, it will be hard to respond effectively.

Step 3: Get the Right People Involved

A successful incident response plan requires collaboration across the company, not just those tasked with responding to the breach. For example, if credit card information is lost, a company may need to involve business areas that include information security, legal, web developers, public relations, customer support, and critical business teams.

To make sure the incident response plan works, those people should also be involved in creating it. Business teams are especially important because they are best-positioned to predict any negative impacts from plans of action that IT may not foresee.

Step 4: Determine Which Incidents Require A Response

To ensure that your security team is focused on the most serious issues, your plan should specify which incidents should be acted on and which should be ignored. For instance, do attempted attacks count as incidents, or does the attacker need to be successful to warrant a response? (The answer is that yes, attempted attacks do require a response that at least includes reporting the attempt.)

The incident topology from the National Institute of Standards and Technology can be a useful guide to creating these protocols for your company.

Step 5: Form A Solid Response Team

Your incident response team must be able to detect, respond, mitigate damage, report, recover, and debrief within a set time frame after an incident. Team members should be assigned specific roles to maximize efficiency and help mitigate as much damage as possible after an attack.

The roles will vary among companies but typically should include an incident response manager, security analysts, threat researchers, a documentation leader, and the IT director. It’s also a good idea to involve managers from departments whose operations are most likely to be affected if systems go down.

Step 6: Design Quick Response Guides

Your incident response team must be ready to respond as soon as a threat becomes apparent. Your plan should include quick response guides that address specific systems and scenarios. Be sure to include the most likely scenarios, how to check them, and what steps should be taken to correct the damage and restore your systems to full operation. Keeping a physical copy is wise in case of a complete network or system failure.

Step 7: Test and Review Your Plan Regularly

Running tests that simulate a breach is the best way to keep your plan updated, prepare for ever-evolving cyber challenges, and identify weak spots that need to be addressed. The plan should also be reviewed regularly to make sure changes aren’t needed as the company grows.

Step 8: Establish Protocols for Disaster Recovery

Every attack won’t lead to a disaster recovery scenario, but it’s wise to have protocols in place if they are needed. Don’t forget to make sure your virtual environment is backed up!

Step 9: Create A Communications Strategy

Good communication is essential to an incident response. Have a strategy in place to alert third parties and internal teams who will be involved in the response. Law enforcement should also be notified.

Step 10: Practice Makes Perfect

Even if you build the most fool-proof plan, it can’t serve its purpose if your employees don’t know how to execute it properly. Employee training is critical to an effective response. Even when instructions are written out, the stress of the moment can lead to mistakes if employees haven’t practiced the proper steps. Dry runs will also help you identify instructions that need to be improved, clarified, or expanded before an attack occurs.

Headlines filled with massive data breaches against high-profile companies like Equifax prove that there is no such thing as an impenetrable system. Most companies do not have the resources or knowledge to create an incident response plan that details the actions employees should take after a breach. A cybersecurity provider can help companies design, implement, and integrate a comprehensive plan that mitigates damage and gets the business up and running quickly in the wake of a cyber-attack.

CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.