Developing an Effective Cyber Incident Response Plan
June 7, 2023
The issue isn’t whether you need a cybersecurity incident response plan, but when you’ll need a plan to respond to a cybersecurity incident. From phishing, to ransomware, to DDOS attacks, companies of all sizes and types without a clear cyberattack response plan may suddenly find themselves unable to continue operating their businesses … and won’t know how to start recovering.
What Is a Cyber Incident Response Plan?
Cyber Incident Response Plan Definition
A cybersecurity incident response plan spells out the specific steps an organization will take when a cybersecurity incident has occurred. An effective security incident response plan details how a cybersecurity incident can be detected and should be classified. It should include guidelines and procedures, including the criteria for determining the severity and impact of the incident, and the resources that will be used to respond.
Cyber Incident Response Plan Purpose
Incident response planning seeks to identify, contain and mitigate the effects of a cyberattack, allowing the organization to restore normal operations as quickly as possible. A well-structured IT incident response plan:
- includes information on roles and responsibilities, communication protocols and reporting requirements for key stakeholders, such as IT staff, security personnel, executives and external parties;
- describes procedures for assembling and activating a cross-functional cyber incident response team, steps for containment and eradication of the threat, and strategies for limiting the spread and potential damage;
- details how the organization will communicate with stakeholders such as customers, partners, regulators and law enforcement;
- specifies how evidence will be gathered for investigation; and
- spells out the steps for restoring normal operations.
Elements of a Cybersecurity Incident Response Plan
Your cybersecurity incident response plan should be a comprehensive, well-coordinated strategy for responding to any kind of potential cyber threats.
Plan Before You Need It
When your company has suffered a cyberattack, you don’t have time to stop and figure out your best response. That’s why it’s important to develop a plan in advance and test that plan by using a variety of potential scenarios.
Common Incident Response Plan Frameworks
The two most commonly used incident response frameworks are named for the organizations that developed them.
The NIST incident framework was developed by the U.S. government’s National Institute of Standards and Technology and has become one of the world’s most widely used approaches to cybersecurity incidents. It’s built around four steps:
- Detection and analysis
- Containment, eradication and recovery
- Post-incident activity
A private organization, SysAdmin, Audit, Network, and Security (SANS) developed its own framework that emphasizes the security components of an incident response plan. It uses six primary steps:
- Lessons learned
Plan Elements, Steps and Content
The key difference between the NIST and SANS frameworks is how they define the elements of containment, eradication, and recovery. However, whether your organization opts for the NIST or SANS framework, the activities you’ll include in your plan will be very similar. Your plan should address the steps that follow:
The first step in developing a cybersecurity incident response plan is assessing the risks the organization faces, determining what it is you need to protect, and establishing controls and other precautions to address each of those risks. For example, some of the problems your organization might face could include data breaches (whether small or large), a cyberattack such as ransomware finding its way into your network or even an extended power outage at one of your facilities.
Identify and Assess
Once you have identified each of the potential risks and assessed the problems that could occur, it’s time to determine what needs to be done, which employees or outside resources will be responsible for addressing it, and how it will be communicated. All of this and more should be documented so it’s readily available when the worst happens.
As soon as the response team becomes aware of a cybersecurity issue, immediate attention should be devoted to containing the damage (and potential for more damage). Depending on the nature of the threat and the architecture of your system, this may include everything from isolating specific technology from your network, shutting systems down or blocking access to key data sets. The process for containment should be spelled out clearly, because the best way to preserve data and remaining systems is to act in a careful, well-planned series of steps, documenting everything that has been done and who handled it to ensure nothing is missed.
Next, the team will focus on eradicating the problem and restoring the health of the overall system. With malware, that may just be a matter of removing the offending code, but with something like a ransomware attack, eradication may begin by protecting non-infected elements so they remain available to restore normal operations. Another part of the eradication process is taking steps to head off a resumption of threats, such as making sure all software patches have been properly applied.
Once the threat has been identified and eradicated, the team will begin the process of restoring the affected elements and the entire system. This typically requires a step-by-step process that should be carefully documented, including testing and validation at each step. Communication also becomes important, so employees understand what parts or all of the system are not available and how long it will take to return to normal operations.
Learn and Improve
Even after the incident has ended, the team’s work isn’t done. Now it’s time to study what was learned during the attack and recovery and incorporate it into the response plan. That way, the organization is better prepared for the next time a cyberattack occurs. Although everyone may be ready to move on, it’s important to go through this review while the attack and the steps taken are fresh in everyone’s minds.
Cyber Incident Response Team
Central to your organization’s security incident response procedure is establishing a cyber incident response team charged with:
- developing and testing your incident response plan,
- managing communications through every stage of the incident,
- providing remediation strategies to resolve the threat,
- investigating incidents to prevent future recurrences, and
- identifying changes to technology, training, policy and governance.
Creating Your Cyber Incident Response Team
When assembling an incident response team for your cyber incident response planning, making sure everyone understands their role is critical. So is practicing the cyber incident response steps regularly so that everyone is prepared for the real thing.
Internal Cyber Incident Response Team Members
Your incident response team should not be limited to the company’s IT department. Effective incident response plans incorporate key individuals in a variety of roles. At the very least, your team should include:
- a top executive who can approve budgets and plans,
- a project manager to oversee the process,
- someone whose role it is to track and record every decision and action (this information will help when you file a claim and enhance your future planning),
- someone focused on risk management,
- representatives from your internal legal team, and
- someone with responsibility for security.
While it’s important to have a broad-based team so key decision-makers know what’s happening, you shouldn’t share information with employees who are not part of the response team. Secret details might otherwise be leaked, leading to financial losses and damage to your reputation. Don’t share information with a wide audience until you consult with your legal counsel.
External Cyber Incident Response Team Members
Besides the employees on your team, you’ll also want to include trusted outside advisors such as the following:
- Breach coach
- Legal/breach counsel
- Forensic IT consultants
- Forensic accountants
- Media/PR advisors
- Call center
- Insurance carrier
Create and Activate Your Cyber Incident Response Plan in a Secure Environment
One of the biggest mistakes organizations make when identifying cybersecurity incident response steps is planning and maintaining plans within their infrastructure. When one company faced a ransomware threat, the response team conducted discussions over the company’s messaging technology. That meant the cybercriminal was able to monitor everything that was discussed, making attempts at negotiations pointless.
It's much better to house everything related to your incident response strategy off-network and even offsite. Setting up a “war room” and communications that are secure and physically separate from your network will allow everyone to collaborate on the security incident response process more efficiently and without compromising sensitive information.
Test and Refresh Your Cyber Incident Response Plan Regularly
You also need to test your plan regularly. If you don’t, how will you know it’s going to work? It’s like a football team drawing up what looks like a great play but never practicing it before the big game starts. When you don’t test your plan, you don’t know where the weaknesses are.
If your company hasn’t reviewed and tested its incident response plan in the last few months, start immediately. One particularly effective element of a cybersecurity response plan is what’s known as a tabletop exercise. Tabletop exercises involve bringing together everyone who needs to play a role in your cybersecurity response plan, introducing various incident scenarios, and then going through the necessary responses step by step. The simulated response will help you identify gaps in your data breach response plan and ensure everyone knows what to do when the real thing happens.
Make sure you don’t limit those exercises to your IT staff, either. A cyber incident may affect every department, from the sales team who will need to explain to customers what’s happened, to legal counsel, to production, to HR and PR.
When the Worst Happens
When your organization experiences a need for a real cybersecurity incident response, you need to follow the instructions of the professionals on your cybersecurity incident response team and any outside experts who support them. Ideally, your incident response plan will have been tested frequently and your team will be ready to implement it immediately. You’ll also want to be sure your incident response process steps include the following:
- Contact your carrier(s) and insurance broker as soon as a cyber event is discovered.
- Maintain an activity log of the decisions your organization makes, who makes them, the basis on which they were made and the resulting activities.
- Communicate outside regular channels, assuming the threat is still present.
- Take immediate steps to mitigate losses.
- Contact and follow the advice of your breach counsel.
- Document all expenses and costs related to business operations, such as downtime, outsourced work, salaries and missed contract deadlines.
- Keep key stakeholders informed (again, that doesn’t mean sharing all the details with every employee or stakeholder).
Afterward, debrief everyone involved to improve your cyber incident response plan template.
While it’s important to act quickly, it’s also important to act purposefully. During the security incident response process, you should avoid some actions. For example:
- Don’t delay telling your insurer about the attack.
- Don’t engage directly with the threat actor.
- Don’t reset your network or wipe it clean immediately, which may eliminate useful evidence.
- Don’t share information with employees beyond the cyber incident response team.
- Don’t publicly release information without consulting legal counsel and your PR team.
- Don’t assume your employees are best equipped to repair damage, because your insurer may require the use of outside experts.
Preparation Is the Key to Your Cybersecurity Incident Response Policy
Incident response best practices always begin with preparation. Creating an incident response plan and conducting regular practices will ensure you’re as ready as possible when a real cybersecurity incident occurs. It’s also important to make sure you have the right cyber insurance coverage.
Insurers value thoughtfully prepared and tested cyber incident response plans because that demonstrates you understand the risks and are taking steps to mitigate them. Hylant can help your organization strengthen its cybersecurity risk profile and secure cyber coverage tailored to its needs.
Related Reading | What Is Cyber Insurance?
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.
Want more like this?
Sign up here for our monthly e-newsletter, Fresh Perspectives, and other relevant content.
The Illinois Biometric Information Privacy Act (“BIPA”)
September 11, 2023
For Boards, the Best Cybersecurity Defense Is a Good Offense
September 8, 2023
Hylant Launches Cyber JumpStart Portal to Help Organizations Reduce Cyber Risk
August 2, 2023