A Guide to Creating an Incident Response Plan
Cyber security is one of the direst threats facing modern businesses today.
Global cyber-crime damages are set to exceed $6 trillion each year by 2021.
Despite the growing threat of cyber-attacks, more than half of businesses that suffered an attack didn’t anticipate any changes to their security measures for next year.
Increasing cyber-attacks will help triple the number of unfilled cyber-security jobs, reaching 3.5 million by 2021.
So how exactly do you prepare for the especially bleak future that these statistics are hinting at? By creating an incident response plan.
An incident response plan gives you the thought-out guidance you need in order to effectively handle a cyber-attack, whether it be malware, ransomware, or a DDoS attack. It’ll also help you strategically evaluate which aspects of your business are most at-risk and how you can help mitigate damage after a breach.
In the end, a strategic and comprehensive incident response plan can be the difference between a thwarted attacker and a multimillion-dollar loss. Here’s how to create an incident response plan that works.
Step 1: Take Stock of What’s at Stake
The old saying, “Hope for the best, plan for the worst” undoubtedly applies to cyber security. Like any other endeavor, maintaining a catastrophe-focused mindset will help you identify which aspects of your business are the most critical, especially if there’s a successful attack.
If your company was attacked by a cyber-criminal, which of your assets would cause the most damage if they’re compromised? Which would cause a chain reaction that could affect multiple other systems?
Really take the time to perform an asset audit and try to put a quantifiable figure on each. This will help you prioritize which assets need to be surrounded with additional security as well as which systems will cause other problems if it’s attacked.
After all, cyber-attacks have become infinitely more sophisticated over the years and one well-informed attack can end up toppling an entire company.
Step 2: Evaluate Your Risk Potential
In the same vein as asset evaluation, you’ll also have to take a hard look at what kinds of vulnerabilities your company is facing.
Do you have a significant number of employees with emails? Phishing might be a priority for you.
Is your company heavy on data processing? You may be at risk for faulty coding.
Wi-Fi networks, unapproved hardware, and unsecured networks may all come into play too.
The key here, however, is to really do your research and think through as many possibilities as you can. Many vulnerabilities will only appear obvious after an attack, making it especially difficult to respond effectively. What’s more, the average amount of time a hacker spends inside systems before being discovered is actually 200 days or more.
The more time you put into this phase, then, the better able you’ll be to actually prevent an attack rather than just dealing with its aftermath.
Step 3: Start Building an Action Plan
Now that you’ve determined the value of your assets and really dug deep into what kinds of risks your company is exposed to, now it’s time to put policies in place to govern how to react to specific situations.
These detailed and comprehensive courses of action, called playbooks, will help walk your incident response team through each critical step of the resolution process without having to worry if they missed any crucial elements.
These playbooks should contain seven core steps:
- Prepare
- Detect
- Analyze
- Contain
- Eradicate
- Recover
- Post-Incident Handling
Of course, the structure and content of each playbook will undoubtedly vary depending on your company, your specific risks and assets, and the particular threat you’re facing. However, effective resolution of most cases will require going through each of these steps.
Step 4: Form an Incident Response Team
Carrying out your carefully planned incident responses according to your playbooks requires precise coordination and implementation. In most cases, it simply is not a one-man job.
That’s where your incident response team comes in. These team members are assigned specific roles with individual responsibilities to help improve the efficiency of the team and to help mitigate as much damage as possible in the event of an attack.
Obviously, these roles and the extent of their duties will likely vary among businesses (according to budget, scope of risks and assets, complexity of systems, etc.). However, there are a few main roles that most companies will consider necessary for any incident response team including:
- Incident Response Manager
- Security Analysts
- Threat Researchers
- IT Director
- Documentation Leader
You’ll also want to be sure your team members are taking special care to document a number of essential key performance indicators throughout the event to inform future strategies and bring a quantifiable aspect to the event.
Step 5: Get Your Workforce Involved
Employee training is key when it comes to effectively responding to a cyber-attack. And while you may build a perfect incident response plan that’s successful, fool-proof, and comprehensive, it won’t mean a thing if your employees don’t know about it or how to use it properly.
That’s where training comes in. Dry runs are absolutely instrumental beforehand as even when everything is written out on paper, the heat of the moment can still lead to a number of potentially disastrous mistakes.
What’s more, these training sessions will not only help your incident response team get more comfortable, it will also help you identify areas that need to be improved, clarified, or expanded upon. And when you figure out that information before an actual attack rather than afterwards, you’ll more than recoup the expended resources.
An Incident Response Plan: Your Best Line of Defense
In an increasingly hostile digital world, cyber security is becoming a top concern for corporations, businesses, and individuals alike. And while advanced defensive systems can aid in holding back hackers, a sophisticated and strategic incident response plan can help you quell the threat and mitigate the damage even further.
These five steps will help you build the foundation of a solid incident response plan to keep your digital information safe, secure, and out of the hands of cyber terrorists.