Cybersecurity breaches are becoming more and more prevalent. In fact, it’s been estimated that there were almost 5 billion records breached in 2018. Many organizations spend thousands of dollars on security breach prevention tools, but won’t take the time to create a formal process of identifying, responding to, and communicating an incident.
When it comes to incident response planning, there are three terms to keep in mind: security event, security incident, and breach.
- A security event is an observable occurrence related to a system or network. This is considered suspicious and abnormal activity.
- A security incident is an event that causes adverse consequences, is a violation of security policies and procedures, or is an event that compromises the integrity, confidentiality, and/or availability of information assets.
- A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Alternate definitions of a data breach include the unintentional or inadvertent disclosure of data access that has not been authorized.
So why is building and testing a formal incident response (IR) plan so important?
When an event turns into an incident and an incident appears to be heading towards a breach, you don’t want to have to “wing it”. Timing is also critical - once a breach is confirmed legal reporting timelines come into effect. If those timelines are not met it could result in a financial penalty, reputation damage, or legal ramifications. Finally, when a breach occurs there is usually an internal finger being pointed and you don’t want to be the person that has to say “I wasn’t prepared”, which could potentially result in termination due to negligence.
The following questions should be asked prior to building an IR plan:
- Who needs to be involved with the IR process?
- What type of testing needs to be done?
- Who needs to be part of the communications?
There are many questions on what steps should be taken and what best practices to follow when it comes to incident response. Below are our recommendations:
1. Preparation (Planning)
- It’s important to create both a check box and realistic plan that assign roles to those involved.
- Be sure critical contacts (lawyers, insurance agent, etc.) are documented so that you know exactly who to reach out to.
- Create and APPROVE a scripted breach response. This saves time if a breach occurs.
2. Identification (Review & Coordination)
- Define what you consider an incident.
- How does it get identified, prioritized, and communicated.
- Determine who needs to be involved and at what time.
3. Containment (Damage Control)
- Contact your legal team to determine if you're facing an incident or a breach.
- Prioritize what to tackle first and make sure the appropriate people have been looped in.
- Minimize damage and isolate affected machines if possible.
- Know the limits of the run book.
4. Eradication (Investigation)
- Know your limits for doing digital forensics.
- If this is a confirmed breach, do you know what you'll say in court?
- Experience, certifications, and documentation, are all important things to consider. Be sure to reach out to experts if you need to.
- Work with your local cybersecurity team to get the systems back to “normal”.
6. Lessons Learned (Education)
- Create an incident report.
- Document everything that happened from beginning to end.
- Share the experience with your IT team and top management .
A solid incident response plan probably won’t be perfect from the beginning, which is why you should be doing tabletop exercises throughout the year to iron out any rough patches. Not having a mature security program is no reason to put off implementing an IR plan; in fact, that would be a primary reason why you should get your IR plan set up.
It’s important to note that having an incident response plan is a mandatory component of most compliance requirements. Even more importantly, having a plan in place can help you reduce your response time to address a negative event. It‘s also a fantastic way to highlight your security program with your executives and prepare your team for the attacks on your business.
Ready to build out your incident response plan?