Why You Need a Cybersecurity Incident Response Plan (And How to Create One)
Why You Need a Cybersecurity Incident Response Plan (And How to Create One)

“By failing to prepare, you are preparing to fail.” 

This simple wisdom from Ben Franklin is as valuable today as it was in the 18th century. Applied to today's cybersecurity industry, the above quote can mean the difference between successful breach response and devastating loss of customer data and reputation.

Why Do You Need an Incident Response Plan?

The fact is, you won't know when an attack on your information is coming – but it's only a matter of time before it does. Every connected system is getting probed on the Internet and attacked on a daily basis. As hackers employ more advanced tactics, tools, and technologies, we have entered into an era where organizations need to assume a breach at all times, the era of “continuous compromise.” The recent massive attack on Equifax, which exposed the personal and financial details of 143 million people, is yet another example showing us that there is no impenetrable digital wall. While security professionals can put in as many preventative measures as possible, we should not rely solely on these for protection. It's imperative that organizations take proactive security measures by having an incident response plan and tested procedures in-place before attacks happen, not scrambling to answer on the fly.

As evidence of this, in a recent survey administered by Guidance Software, twice as many companies reported plans to build formal security and incident management teams within the next year as compared to last year. In another study, more than a quarter of security professionals indicated that endpoint detection and response (EDR) solutions were one of the most important security controls in their arsenal. EDR tools are quickly gaining in popularity and use due to organizations preparing for the inevitable breach.

How Does an Organization Build an Incident Response Plan?

The first step in creating an IR plan is to understand your data and how it is protected. Also, depending on where your business is located, different laws and regulations may apply to how you need to handle this sensitive information. For example, the European Union is currently in the process of rolling out the General Data Protection Regulation (GDPR). Any company that operates within the EU and holds data on EU citizens, even if they are technically headquartered outside of the region, must adhere to these strict guidelines. By using data maps to track the location and storage of your most valuable information, such as proprietary data and sensitive customer information, you are prepared to move onto the next step.

Evaluate and Update Your Data Security Policies

You may already have data security policies, but is it time for an update? Policies need to change and evolve over time to maintain industry standards and reflect data mapping. And merely having guidelines isn't enough. You need to educate stakeholders about the protocols, as well as monitor and enforce them.

Here are a several policies that should be at the top of your company's security list:

  • Vendor access and storage
  • Remote access
  • Internet and electronic communications
  • Social media standards
  • Passwords
  • Mobile devices
  • Guest access
  • Network device attachment

Once these policies have been reviewed and updated if necessary, you can get into planning how to respond to an attack.

Plan Your Data Breach Response

Fully plan your counter attack to a data breach, beginning with identifying your internal response team and external response partners. The latter is especially important: the middle of a breach is not the time to argue over indemnification clauses. The key stakeholders should know and be ready to execute your plan with a step-by-step checklist. It's a good idea to practice the plan in a tabletop exercise to judge the response time and effectiveness. Clear understanding needs to be established for the first 24 hours, then for 48 hours, and days after.

When you've built a strong plan, you can respond quickly when the Zero Hour strikes. You should be able to open your plan, see who you need to call, and know who has already signed a Terms of Agreement so that everyone can proceed immediately. We suggest these experts be on call in the event of an emergency:

  • Key IT administrators
  • Law enforcement contacts
  • Security experts
  • Digital forensics experts
  • External privacy counsel
  • Communications/public relations/ notification support

Test The Process and Look for Weaknesses

Now that a response plan has been outlined and detailed, you need to test it to make sure it works. Teachers and coaches didn't just say that “practice makes perfect” for their health – it's actually the truth, and essential to having a comprehensive and trustworthy plan. Run a mock hack to see how your team executes – this could highlight any weaknesses in your response. Penetration testing, also commonly known as “pen tests,” should be run using either automated software or conducted manually. This will help you gather information on how attackers could hack into your system, letting you know if any gaps exist in your plan and allow you to adjust accordingly.

Address Your Information Security Disclosures

Understand what you are telling external stakeholders regarding how you will take care of their data, and make sure your representations are up to date and accurate. Don't over promise. Such assurances could be considered overpromising the level of data protection your clients have from your organization and could do more harm than good in the long run. As security challenges evolve, how you respond must evolve as well. Check your representations so they are up to date and accurate.

As cyber attacks increase in volume and complexity by the day, it's essential that you know how you will respond in a crisis. By following these steps and procedures, your organization can be well prepared to protect itself in the event of a hack or breach.