Creating an incident response plan (IRP) is a critical component of a robust cybersecurity strategy. An IRP outlines the steps an organization will take in a security incident to minimize damage, reduce recovery time, and maintain business continuity. Learning how to create an incident response plan and its importance to your business can drastically improve the outcomes should a security event occur.
Benefits of an Incident Response Plan
Did you know, despite increasing cyber security risks and the significant benefit an IRP can have – most businesses have yet to document their process and implement best practices needed to facilitate investigation and response to a cyber security event?
- Only 45% of companies have an Incident Response plan in place.
- Only 22% of companies have an air-gapped backup solution.
- 65% of organizations do not log at all or they store logs for less than 30 days.
In addition to leveraging IT security services, having an effective and well-documented Incident Response Plan helps businesses in the following ways.
Reduced Impact and Downtime
A well-prepared IRP can significantly reduce the impact of a security incident, minimizing downtime and financial losses. Having a documented and executable plan with named, roles, team members, and their associated responsibilities also reduces panic and provides a clear path forward during stressful times such as a data breach, ransomware attack, or other security event.
Protection of Reputation
An effective response to an incident helps maintain customer trust and confidence in the organization’s ability to handle sensitive information. “On average, companies experiencing a significant data breach incident underperform the NASDAQ by 8.6% after one year, and this gap can widen to 11.9% after two years.” Source: The Devastating Business Impacts of a Cyber Breach (hbr.org)
Compliance and Legal Requirements
Demonstrating a well-defined IRP can help the organization meet legal and regulatory obligations for incident reporting and data breach notifications which need to be issued within a set number of days based on location of the business.
Prevention of Recurrence
Thorough documentation and analysis of incidents enable the organization to identify root causes and implement measures to prevent similar incidents in the future.
Enhanced Security Posture
Having a well-prepared IRP demonstrates a commitment to cybersecurity, which can be reassuring to partners, customers, prospective clients, and stakeholders.
In today’s landscape, businesses that demonstrate a strong commitment to cybersecurity are often preferred partners for other organizations.
Creating a Cyber Incident Response Plan Step-by-Step
Here is a step-by-step guide on how to create an effective cyber incident response plan.
Establish a Cross-Functional Incident Response Team
Form a team that includes representatives from IT, security, legal, communications, and relevant business units. This team will be responsible for developing, implementing, and executing the IRP as well as testing and updating the plan when there are changes to the organization and technology environment.
Assign Roles and Responsibilities
Define specific roles and responsibilities for each team member. Clearly outline who is responsible in the incident response team for specific tasks during preparation, detecting and reporting an incident, communicating to relevant stakeholders, and at the post-incident-analysis stage.
Examples of commonly defined roles include:
- Incident Response Lead
- IT Leader
- Communication Officer
- HR/Legal Head
Depending on how comprehensive your IRP is, you can develop a RACI chart that includes each step and which role is responsible for each.
Define Objectives and Scope
Clearly state the objectives of the IRP, such as identifying, containing, eradicating, recovering, and documenting security incidents. Describe the level of detail required for each objective to define the scope of incidents the plan covers.
With your team and roles established, you can launch into discovering if a breach or incident has occurred, the point of entry, and the extent of the breach.
Questions your team can ask to drive out a clearer picture:
- When did the breach occur?
- How was it identified?
- Who discovered it and who has been affected?
Containment and Eradication
Containment and eradication of cyber threats requires involvement from technical teams and partners to determine the extent of changes required including disconnecting affected devices, changing administrative access, scanning the environment for unexplained changes and access requests, and updating and patching systems.
Questions to ask:
- Has any malicious activity or files been discovered?
- How up-to-date are backup systems and cut you reliably cutover?
- Have backups been compromised?
- Are recent patches and updates in place?
Recovery and Documentation
It is important to detail the process for recovery from a variety of cyber threats that can impact the business. To reduce downtime, there should be straight-forward documentation to use in order to get systems back online, users reconnected, and to reduce an impact to operations.
Questions to ask:
- How long will systems be down?
- What is required to get them back online?
- Can the IT environment be restored from a trusted backup?
- What kind of deep scans can be run to ensure the legitimacy of all accounts, data, and systems?
Incident Classification and Incident Response Playbooks
Identify potential security incidents and classify them based on severity, impact, and likelihood. This helps prioritize responses. To give a better understanding of how this can play out, it can help to establish various scenarios with their associated incident response playbook, key considerations and when to invoke the IRP. Gartner recommends developing detailed incident response playbooks and guides for handling specific incident scenarios.
For example, scenarios could include:
Severe – A ransomware attack, where the business did not have air-gapped backups and the backup data has become compromised, locking all users out of the system. The organization must decide whether to pay the ransom or find alternative routes.
Medium – One instance of a clear attempt to obtain unauthorized information or access (e.g., an attempted download of secure password files, attempt to access restricted areas, etc.).
Low – One instance of potentially unfriendly activity (e.g., port scan, malware detection, unexpected performance peak, or a similar warning sign that should be investigated more thoroughly) .
Incident Detection and Reporting
Define how incidents will be detected and explored in more detail. This could involve using intrusion detection systems, firewall logs, security information and event management (SIEM) tools, external partners, or employee reporting mechanisms. Establish a clear reporting process. Determine if your current security measures and monitoring tools are sufficient and document how they are to be accessed should your team need to review logs, network activity, and delve deeper into potential breaches or security events.
Cyber Incident Response Procedures
Detail step-by-step procedures for how to respond to distinct types of incidents. This includes actions to take during identification, containment, eradication, recovery, and lessons learned phases per the types of threats you may face. Each classification and severity of threats warrants a varying degree of response with associated tasks.
Develop a Response Process Map:
Gartner outlines steps to take after an incident has occurred such as:
- Register incident
- Conduct initial triage
- Assign classification
- Assign severity
- Determine next steps based on severity
- Resolve using usual process (as outlined in your scenarios)
- Mobilize CSIR (Cyber Security Incident Response) team
Develop a response process flow chart for each major scenario. Here is Gartner’s example for a ransomware incident response playbook from there report: 3 Must-Haves in Your Cybersecurity Incident Response | Gartner
Establish a communication strategy for notifying relevant stakeholders, including internal teams, executive management, legal, public relations, and regulatory bodies (if required).
Key communication points should include notifying customers and authorities in case of a data breach of the level and extent of data compromised and what steps they can take to further protect themselves from the security event. If you are in Canada, under PIPEDA, organizations must report the following to impacted individuals:
- a description of the circumstances of the breach;
- the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
- a description of the personal information that is the subject of the breach to the extent that the information is known;
- a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
- a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
- contact information that the affected individual can use to obtain further information about the breach.
Check what requirements are specific to your region when reporting breaches and security incidents to customers, organizations, and regulatory bodies.
Legal and Regulatory Considerations
Address legal and compliance requirements, including data breach notification laws, and outline how the organization will adhere to them. This is crucial when conducting your initial investigation and developing a report of how the breach occurred, how it was detected, and what your organization has done to contain and eradicate the threats as well as recommendations provided to any impacted parties.
Documentation and Reporting
Emphasize the importance of thorough documentation of the incident, including timelines, actions taken, evidence collected, and lessons learned. This documentation will be crucial for post-incident analysis and potential legal requirements.
Your team can facilitate this information-gathering by creating frameworks in various playbooks based on the threat classification and severity for what details should be collected at each stage of your incident response.
Training and Testing
Provide regular training for employees on how to recognize and report security incidents. Conduct simulated incident response exercises (tabletop exercises) to ensure the team is familiar with the IRP and can respond effectively. Run through your detailed playbooks for different scenarios your team may encounter (examples: ransomware attack, data breach, compromised email accounts, etc.).
This is a great chance to see what works well from your documented incident response plan without putting company assets at risk. Incorporate lessons learned from these tabletop exercises into your cyber security incident response plan.
Continuous Improvement in Incident Response
Review and update the IRP regularly to incorporate lessons learned from past incidents and to adapt to evolving threats and technologies. Look for improvements that can be made at each stage of your cyber incident response. Consider changes that can improve the technical investigation, containment and eradication, workflow, communication, and documentation.
Final Thoughts on Incident Response in Cyber Security
In summary, creating an incident response plan is a crucial component of any cybersecurity strategy. Incident Response helps an organization effectively respond to security incidents, safeguard its reputation, meet legal obligations, and continuously improve its security posture.
If you are looking for assistance in developing or updating an incident response in cyber security – contact us to get a consultation and recommendations specific to your business.
For businesses interested in other ways to bolster cyber security posture and safeguard operations, we can provide expert guidance in the following areas: