The threat of cyber security incidents looms over all organisations. There are simply too many things that can go wrong – whether it’s a cyber attack, a technical malfunction or another delay – to assume that operations will always be functional.
And when disaster strikes, time is of the essence. The longer it takes to respond, the more likely it is the costs will escalate.
That’s why it’s essential to have an incident response plan. By preparing for the inevitable, you can act quickly to identify and mitigate the damage.
In this blog, we look at five ways you can build an effective incident response plan.
1. Understand cyber security incidents
You won’t be able to manage incident response effectively if you don’t understand the risks your organisation faces.
They come in many forms, and each one needs to be managed appropriately. A phishing attack works differently than, say, an electrical fire, so organisations must prepare appropriately.
As IT Governance Cyber Incident Responder Cliff Martin notes: “What is crucial here is that organisations understand what normal is within their environment and what the potential risks are.
“If an organisation doesn’t know what normal looks like, how would they ever detect the abnormal or malicious?”
An information security risk assessment, conducted annually or whenever you make significant changes to your organisation, will help you answer those questions, as you review the way your sensitive information is used and how issues may arise.
2. Make sure your scope is appropriate
The number of risks you identify will be incredibly long, and, realistically, you won’t be able to handle them all.
You should therefore decide which risks to prioritise. Your decision should be based on an assessment of the potential damage of each threat and the likelihood of it occurring.
3. Create an incident response plan
With your most important threats identified, it’s time to create an incident response plan to deal with them. This is a six-step process:
- Preparation: the policies, procedures, governance, communication plans and technological controls you’ll need to detect a security incident and continue operations once it occurs.
- Identification: organisations need to be capable of detecting a potential incident. They should understand what information is available and where from. Logs also need to have integrity; can you be confident that an attacker hasn’t changed the logs?
- Containment: the way you’ll isolate the problem and stop it causing further damage.
- Investigation: this should confirm what has happened and answer any other questions that the organisation has.
- Remediation: the process of returning to business as usual.
- Lessons learned: the processes for assessing procedural and policy implications, gathering metrics, meeting reporting and compliance requirements and identifying what lessons need to be learned.
4. Train your staff
The success of your incident response plan hinges on how well your staff execute it. This includes not only the people responsible for creating and executing the plan but everyone in your organisation.
After all, their work may be disrupted when the plan takes effect, so you need to make sure they’re prepared. That means making them aware of the plan, explaining why it’s in place and providing the necessary training that allows them to follow it.
Cliff Martin explains: “Staff should be aware what to look for and if they do suspect an incident that they know who to contact.
“Staff are an organisation’s first line of defence. There is nothing worse than a member of staff who is embarrassed to let someone know they did something by accident because they’re scared of the response.”
He adds: “Roles, responsibilities, dependencies and authorisation are [also] key. Is the incident team authorised to make the difficult and key decisions that could impact the organisation’s operations?”
5. Ask for help if you need it
As prepared as you may be for a cyber security incident, attackers are getting increasingly sophisticated, and it’s not uncommon for security teams to come across a threat they’ve not seen before or aren’t able to handle.
If that happens, don’t be afraid to seek help from a third party. There’s no substitute for experience, something many organisations already know.
According to ESG Research2, 34% of organisations say their biggest challenge when it comes to incident response is that they lack skilled resources to investigate to identify and respond the cause of the attack.
Indeed, many of the mainstream data breaches that you read about note that the affected organisation sought expert help.
As such, you shouldn’t be afraid of doing the same – and if you’re looking for someone to provide that help, IT Governance is here to help.
Our Cyber Incident Response service provides the support you need to deal with the threat, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.
A version of this blog was originally published on 11 June 2018.