5 Steps to a Better Incident Response Plan
Incident response plans have never been more important, given the growth in cyber attacks. These steps will ensure yours is ready for action.
By John Bruce, Resilient
This is the decade of response. It's officially arrived. After decades of focusing on preventing and detecting cyberattacks, security leaders are finally treating how they respond to cyber threats with equal priority.
As the frequency, sophistication and volume of cyber threats continue to increase, organizations need the ability to respond to and mitigate them quickly. In fact, they can't afford not to. According to a recent study by IBM, the average consolidated cost of a data breach increased by 23 percent since 2013, costing businesses an average of $3.8 million per breach.
The good news is that effective incident response (IR) plans can minimize the impact of security incidents when they happen. IR plans require extensive documentation, testing and validation before they can be considered reliable, however. And they need to be continuously reviewed and updated to keep up with an organization's individual needs.
To create, assess and improve your incident response plan, follow these five steps:
Determine if There Really Is an Incident
An effective incident response plan should include clear guidelines for when and how a security incident is declared. Often, security incidents emerge as merely a set of disparate indicators.
Define the criteria for a major and minor incident type, and outline the required procedures to follow after each type of incident. Standardize severity level assessments across your entire organization, and include definitions of appropriate response times. By establishing a dispute resolution process, harmful communication conflicts can be avoided during security incidents.
Establish Incident Response Roles and Responsibilities
If you've concluded that an incident has occurred and follow-up is required, knowing who is responsible for each step of an incident response plan is critical.
Roles, responsibilities and authority levels for all response team members should be determined well in advance of an incident. The team should also continually have access to any supporting resources or materials they may need. Some incidents may require support from other departments, like legal, HR, communications or executive leadership. Make sure you've identified these departments and discussed your IR plan with them ahead of time.
Test and Improve the Incident Response Plan
One of the most important steps in maintaining an effective IR plan is taking a step back and evaluating how a security incident unfolded.
- Could the response team have done anything better?
- Was detection and analysis of the incident effective?
- Was the threat contained and eradicated in a timely manner?
- Was information successfully shared across the organization during the incident?
After considering these questions, you'll be able to better assess your response team's decision-making skills. You can also better evaluate if and how roles and responsibilities need to be adjusted to strengthen security. Make sure all departments -- not just the response team -- are involved in this post-incident evaluation process. Better coordination and understanding of incident management skills requires consensus across multiple departments.
Plan and Practice Internal Communications
It's critical to review and test your internal communication plan before a security incident occurs. Practicing the communication chain saves precious time when an event escalates. Time is of the essence, and communication networks tend to be the first resource to break down during security incidents.
Make sure every response team member has identified and contacted their alternate, as well as their counterpart in the business and information technology teams. Remember to keep communication records for any third-party vendors your organization works with, as well as their emergency contact procedures. Lastly, establish a protocol for identifying a crisis command center, if needed.
It's also important to consider the communication with the correct people outside your immediate organization in the event of a security incident. When should an event involve other departments? Then identify who those contacts are across the organization and how you will engage with them.
Also, assign someone within your organization to handle all media communications, and make sure your support team or help desk prepares an automated message to prevent its staff from becoming overwhelmed during an incident.
Understand Impact of Security Incidents
Given the number of high-profile data breaches and the growing threat of identity theft, consumers are especially sensitive about their personal data being put in danger. Organizations need to understand exactly what is at risk in any and all security incidents, and how that can have a negative impact on their business and reputation.
Even minor security incidents can cripple organizations when you consider the costs associated with data loss: tarnished brand reputation, customer abandonment, legal fees and cyber security repair. Estimate the costs of extended loss of business, and determine where the greatest impacts would be.
Cyberattacks are an unfortunate reality. As long as organizations have something valuable to protect, security incidents will be a part of doing business.
But cyber security incidents don't have to be disastrous; organizations can manage them, quickly return to normal operations and continue to thrive in the face of growing cyber threats. The key: Prepare and provision your incident response plan today, before an incident occurs.
John Bruce is CEO and co-founder of Resilient, an IBM company. He was previously chairman and CEO of Quickcomm, an Inc. 500 international company acquired by Vodafone; president and CEO of Authentica, a leader in file security and management acquired by EMC; and an original member of the executive team at Counterpane, a managed security services provider acquired by British Telecom. His formative years were spent with Symantec, where he held a number of executive leadership roles in Europe and the U.S.