Incident Response (IR) is the way your team reacts to an occasion of data insecurity. In the least ambiguous sense, an "incident" is an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
In short, an incident is a problem with your information security. It could look like a data breach. Maybe an attacker found their way into your network and exported stores of client information. Incidents can also be non-malicious. Maybe a natural disaster sparks a power outage and makes your operational resources unavailable for a few days.
An incident response plan is a list of emergency contacts, run-books, escalation criteria, and other vital information to aid in the incident response process. A documented, socialized, and well-maintained plan enables your team to take immediate restorative action by getting all the necessary resources in coordination with one another. Every business should have an IR plan, regardless of its size or industry. Even a four-person shop needs a customized incident response plan that aligns with their company values.
What is an incident response plan?
Incident response planning is how you document the processes and resources you would use if your organization's data became exposed, unavailable, or otherwise compromised. An incident response plan helps your organization prepare for a cybersecurity incident and should outline how your organization should respond to disruptions to any of the CIA (Confidentiality, Integrity, Availability) triad.
The incident response plan is a document that predefines individual jobs, severity levels, run-books to respond to a security incident, and instructions for after-action meetings to gather insight from previous incidents or rehearsals. An IR plan might not address every type of security incident, but it includes information that would be useful in various incidents.
The plan should be stored somewhere where it is secure but readily available to those who need it. A healthy IR plan is reviewed and rehearsed regularly to ensure the response protocol is up-to-date and effective. It is best practice to review the names, roles, responsibilities, and contact information for all relevant resources in the plan at least annually. These resources may include legal teams, executives, public relations personnel, and incident response contractors.
Why is a Cybersecurity Incident Response Plan important?
Effectively stopping and recovering from a security incident requires a careful and coordinated effort from key members of your organization. An incident response plan helps you get those key individuals together and moving in the same direction. During an incident, an organization loses data, productivity, money, or control for every moment the threat actors are allowed to persist on the network.
In this type of high-pressure situation, figuring out which vendors to call could be a dangerous and expensive misuse of time. An IR plan would have those critical vendors and their contact information predefined to eliminate guesswork when time is of the essence. Follow these incident response plan steps in order to prepare for potential security threats.
How to Create an Incident Response Plan
Step 1: Choosing an Incident Response Planning Consultant
It’s hard to hear, but yours is probably not the long-prophesied company that will be able to gracefully and efficiently “wing it” when they are met with a security incident. It’s easy for some organizations to think of incidents as hypothetical eventualities and use that as justification for their ad-hoc or nonexistent IR planning.
In reality, the stakes are too high to risk wasting time and resources during an incident response. Undefined roles and responsibilities could mean redoubling efforts or leaving gaps in the response process. Incident response planning consultants help you identify those gaps and assign critical response functions to willing individuals before you come up against the clock.
There are many correct ways to create an IR plan, but someone with experience can help ensure you are maximizing the value of your plan. You could easily download an IR plan template from the internet, but it may be ill-suited to your organization and leave critical gaps. The benefits of working with a cybersecurity professional are that they focus on your specific needs while also applying their broader IR planning experience. An external perspective can also prevent the IR plan from becoming too heavily reliant on one person or department.
Step 2: Assess Your Current Risks
You can use secure processes and technical controls to limit your attack surface and mitigate the risk of data compromise. Unfortunately, attack methods are evolving more quickly than the security industry can defend against them.
- Is your organization susceptible to ransomware attacks?
- Is your company willing to pay any amount of a data ransom?
- How much are you willing to spend, and how will you access and deliver those funds?
These are big, complicated questions that must be considered well before the ransom letter is in your inbox. Understanding your company-specific risks will help you create a customized IR plan. It is crucial that your team has a reliable plan to quickly and effectively address security emergencies as they occur.
Risk assessments, vulnerability assessments, and penetration tests are all services that can reveal gaps in your organization's security. Those engagements each produce a list of top risks and recommendations to ensure data security in different scopes of your organization. Whether or not you implement those recommendations, the results will help you understand the most pertinent routes to compromise your organization. These reports also serve as a record of investment in cybersecurity, which can be attractive to potential clients and investors.
Step 3: Identify your Incident Response Team
Imagine your company is a football team. You wouldn't wait until the game day to pick your players, assign positions, and come up with plays. In the same sense, you should find your key players, define their responsibilities, and develop run-books long before you are ever met with a security incident.
The first and most critical incident response plan steps involve getting the right people in the room. It seems simple enough to get all your power-players together, but problems can arise if roles are not explicitly assigned. Consider these questions when forming your incident response team.
- What happens when someone is unqualified for their role, bucks responsibility, or steps on someone else's toes?
- Who is authorized to communicate with the press?
- Would you want a catastrophizing, panicked IT manager giving a statement to the local paper?
- Would your security engineers want an executive breathing down their neck while they’re trying to analyze logs?
Assign roles to individuals equipped to handle them, define the exact responsibilities associated with those roles, and document relevant contact information in the IR plan. Working out these details ahead of time will help eliminate potential conflicts from the response process and reserve time and energy to focus on the security incident.
For additional support on your incident response team, engage ProCircular’s incident response and forensics services. Our team can quickly and skillfully assist with the situation and preserve forensic data for later analysis.
Step 4: Practice – Prepare and Train your Incident Response Team
President Dwight D. Eisenhower famously claimed that "plans are useless, but planning is indispensable." This concept rings as true in cybersecurity as it does in battle. It's okay to deviate from your IR plan to suit the situation at hand, but having a well-maintained plan as a base will give you a lot of the information you need to get started. Cybersecurity incident response plan maintenance should include reviews and rehearsals.
Cybersecurity Incident Response Tabletop Exercises
Tabletop exercises are simulated security incidents in which your team must appropriately escalate, communicate, and respond to the Incident while a facilitator injects new information into the conversation. Tabletop exercises are great for developing muscle memory within key players and identifying functional gaps in your plan.
Consider your IR plan uses a conference bridge to virtually connect key personnel during incident response. A tabletop exercise would require you to open that conference bridge to confirm it is an effective mode of communication. It would be devastating to learn that your communication method is unavailable while you are facing a breach!
At ProCircular, our goal is not to test the individual knowledge or skill of any one person but to test the efficacy of the incident response plan document. Our approach to risk management combines industry-leading knowledge with an empathetic bend to ensure your plan is sufficiently comprehensive and practical for your business needs. Imagine your IR plan is a 400-page document. Is that going to be convenient or useful in an emergency situation? Would your organization find more value in a condensed plan? A tabletop exercise provides you with all the lessons you would learn during a real incident, without the business cost of experiencing one.
Step 5: Continue to improve and evolve your plan
Once you have a functional incident response plan in place, it is imperative that you perform regular reviews to adapt your plan to changes in the corporate environment. A healthy IR plan is a living document. For example, after a tabletop exercise, the group conducts an after-action discussion to unveil hiccups in the plan's execution and potential improvements. All successful IR plans include after-action meetings to discuss opportunities to streamline future response efforts. You might also update the plan to reflect changes in key personnel or updates to business practices, like a new technology or adoption of WFH, for example.
ProCircular’s incident response tabletop planning and tabletop exercises are designed to benefit the people involved. If everyone at your tabletop exercise is an engineer, we may run a heavily technical “war room” incident simulation. Alternatively, a tabletop of executives may deal more heavily on the reputational side of incident response. We aim to make the tabletop as realistic as possible. When you actually dial the number to escalate an incident to executives, we minimize the emotional hump of making the call, as well as maintain executive inclusion and awareness of the IR plan.
Create an Incident Response Plan with ProCircular
Sometimes companies are reluctant to examine their incident response plan because they feel unprepared. Developing your IR plan doesn’t need to look like a full-day workshop. Distributing and practicing your IR plans are great ways to improve your incident response readiness without even editing the document. While an IR plan seems like a very serious and heavy document, it should be a flexible and dynamic tool that becomes stronger the more you work with it. The best time to work on your IR plan is when you are not in the middle of a security crisis. Maybe today is the day!
ProCircular’s compassionate approach makes incident response planning painless, maybe even fun! These are vulnerable times, so we approach these projects with respect, empathy, and a progressive goal to reach a positive outcome. To learn more about IR planning, contact ProCircular, or call 844-95-SECUR!