5 Steps To Develop An Incident Response Plan

leadership team 2024

By Michelle Drolet

Founder & CEO

Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i

Read More

It’s almost a no-brainer that all organizations, regardless of their size, need some form of cybersecurity. Cybersecurity not only means that you protect your digital assets against a cyberattack, but it also means that you must plan for the inevitable. What if your data is breached or your systems are attacked? Seems pretty obvious, doesn’t it? Data however, seems to tell another story.
recent survey by the U.K. government has revealed that only 16% of all U.K. businesses have formal incident management plans in place. Another study by the Ponemon Institute on large enterprises (via Security Intelligence) revealed that almost 77% of businesses still do not have a cybersecurity response plan in place. This is courting disaster.

Cost Of Data Breaches On The Rise

IBM’s latest study states that the average cost of a data breach rose nearly 12% over the last five years and estimates the current average cost of a breach at $4 million. That’s not all — according to latest estimates, it takes almost 279 days on average to detect and contain a breach. This means that hackers have an ample amount of time to access sensitive information, monitor activity and also launch further attacks.

Time Is Money

Research indicates that the faster your ability to detect and respond to an attack, the lesser your chances of having to pay for it. Let’s not forget we are entering an era of cyber regulations. Incident response management is a critical component of regulations like the European Union’s GDPR and California’s Consumer Privacy Rights and Enforcement Act. Frameworks such as ISO 27001/2 also require incident response measures. Failure to comply with these regulations can attract severe penalties. For example, in the case of GDPR, penalties can reach up to 4% of global annual turnover or $22 million, whichever is greater.

Incident Response Should Be Proactive

Most people consider the term “incident response” something that follows once you have a security breach. Incident response processes should be well documented and communicated, establish concrete roles and responsibilities, and be reviewed and tested on a regular basis. Just as cyberthreats and regulations continue to evolve, incident response processes, tools and methods must also update and adjust to the evolving industry.

Building A Formal Incident Response Plan

While there isn’t an ideal approach to building an incident response plan, there are best practices laid out by the NIST framework and other standards like ISO 27001/2 and ISO 27035 that companies can use to prepare for incidents and business continuity. Here are five steps that can get you started:

1. Understand What’s At Risk

It’s difficult to plan for incidents if you don’t know what’s at stake. One of the first steps in building an effective incident response plan is a risk assessment. This involves analyzing the organization’s environment, critical infrastructure, sensitive applications, data and intellectual property and determining essential services that are important to maintain business continuity.

2. Assemble An Incident Response Team

An incident response team is a group of trained professionals who help create the framework, analyze incidents, coordinate findings and take ownership of tasks following an incident. This team could include a manager who can oversee and take responsibility for coordination and stakeholder communication in the event of a breach. Depending on the size of the organization, the team may include a director, an IT manager, a facilities manager, general counsel, a marketing and communications or PR manager, and others.

3. Document And Develop An Incident Response Plan

It might also be a good idea to do a business impact analysis (BIA), which can help determine and prioritize activities for recovery following a breach. Focus on the critical assets first, and determine who owns those assets and what the expected response times should be. Document a reporting process in the event of a breach — who owns the critical communications process? Which stakeholders need to be involved? What is their contact information? The complete process needs to be documented and shared with the entire IR team, management and key stakeholders so that they all understand their roles.

4. Include An Incident Recovery Strategy

Incident response and recovery is the process of fixing and restoring data and systems so that everything can return to normalcy as quickly as possible. A regular back-up and recovery process can ensure that both data loss and impact scale is minimized. Not all breaches require disaster recovery, but it’s always a good idea to have the infrastructure in place in case data loss occurs so that recovery can be optimal.

5. Training, Drills, Repeat

It’s crucial that everyone in the organization understands the need for such a plan so that there is full employee cooperation. It’s also a good idea to use simulation tools to educate employees on best security practices. Once a plan/framework has been built, run a drill to test the effectiveness of the plan. Using the help of a security partner, identify scenarios that could be based on a vulnerability scan or a penetration test. Design mock communications for these potential breaches. Give assignments to legal teams, PR, management and other stakeholders involved. Finally, ensure that the incident response plan is reviewed, communicated and updated at regular intervals.

Breaches are a nightmare that no organization wants to experience. It’s crucial for medium and large organizations to have a contingency plan ready in case of a major attack or breach. It might also be a good idea to rope in an expert or a cybersecurity partner that specializes in the topic.
This article was originally posted on Forbes.com. Click here to read >