How Solid is Your Incident Response Plan?

With 79% of organizations spotting a cyber attack in the previous 12 months, and the severity of breaches increasing to the highest levels ever recorded, its clear digital threats are a constant presence today’s businesses must deal with.

Unfortunately, only 42.7% of companies report having a cybersecurity incident response plan they test each year. And while some organizations simply may not regularly test their plans, a surprising 20% admit not having any response plan at all.

Considering the digital threats posed to today’s organizations, not preparing for the inevitable cyber event seems like an unnecessary business risk.

What is a cybersecurity incident response plan?

Whether an accidental compromise or malicious attack, when a cyber incident happens, reacting quickly and efficiently is the most effective way to reduce the potential impact. A formal incident response plan helps an organization prepare for and recover from a cyber event by detailing mitigation steps, communication protocols, and the roles and responsibilities of different team members.

Once created and approved by the organization’s senior leadership team, employees should be educated about the plan’s specifics. Regularly conducting tests, simulations and other exercises helps ensure everyone knows how to respond when a cyber incident occurs.

Why incident response planning is vital

Cyber incidents are often costly episodes. In addition to the financial losses, drops in productivity and unexpected downtime, a poorly handled cyber incident can result in legal, regulatory and reputational damages that can hurt organizations over the long term. While no cyber incident is good, a swift and effective response can help mitigate those damages.

Preparing an incident response plan means your organization has already thought through the policies, procedures, responsibilities and strategies needed in advance of any possible cyber event. It removes the guess work that understandably occurs when an organization must figure out how to react in real time. By proactively thinking through the response and regularly testing the plan, you can streamline the process and reduce errors, recovery times and potential damages.

Effectively responding to a cyber incident requires fast, informed, decisive action. Detailing roles and responsibilities helps ensure steps are taken accurately and in the correct order.

Who should create an incident response plan

Establishing an incident response plan requires input and buy-in from all business units involved in reacting to a cyber event, including:

• Executives who need to provide necessary leadership and resources — like their vocal support for the plan and regular testing.
• IT and cybersecurity teams whose technical expertise in identifying and mitigating threats will be critical. They’ll also need to tackle remediation steps and analysis following the event to help avoid similar incidents in the future.
• Legal and compliance professionals who will need to review and approve the plan to ensure it meets any legal or regulatory requirements the organization must follow.
• Corporate communications and public relations teams who will manage both internal and external communications during the event, as well as any needed after it’s contained.
• Human resources which will handle any employee-related issues that arise from the event.

One senior leader should be appointed primary authority when responding to an incident. They will be responsible for coordinating efforts through an incident response team. Backup leaders should then be assigned in the event the primary is not available at the time of the incident.

The IR team should be comprised of staff members with the relevant skills and knowledge to tackle necessary response tasks, including IT/security, data owners and management.

What incident response plans cover

Providing clear, well-organized guidance to limit the financial and reputational impact of a cyber event is the primary characteristic of an incident response plan. It lays out the roles, responsibilities, escalation requirements and action steps to follow if an event occurs, as well as breach notification and communication guidelines.

Some of the components expected in a cybersecurity incident response plan include:

• A technology audit showing the organization’s systems, networks and devices, assessments of its cyber hygiene practices, and detailed security measures. It’s important to regularly update this section to ensure the IR team is not working from an old list if an event occurs.
• Team roles and responsibilities providing clear direction of who does what and the correct order of those actions during an incident. In addition to covering the technical response, it should include who’s responsible for communicating during the response and what escalation protocols should be followed.
• Detection and analysis measures so threats are recognized quickly and future threats can be avoided.
• Containment, eradication and recovery protocols to neutralize the threat, eliminate it and restore impacted systems so the organization can get back to business.
• Breach notifications to any customers and vendors potentially affected by the incident, alerting them to the exposure, detailing recommended steps they should take to protect themselves, and providing links to any credit and identity monitoring services the organization may be providing in the wake of the exposure.
• Crisis communications to share appropriate information about the incident with stakeholders, the media and public. You’ll also want to coordinate with your IT service provider, relevant industry regulators and, in some cases, law enforcement.
• Post-incident review to document lessons learned in the wake of an incident, make necessary adjustments to reduce the risk of future incidents and conduct a thorough postmortem.

When to outsource incident response planning

While every organization needs a cybersecurity incident response plan, not all have the resources and expertise needed to create an effective one. In those situations, an organization’s leadership might consider retaining incident response services from seasoned professionals who have the expertise, experience and capabilities to better ensure a smooth recovery.

Such specialists can help the organization develop an appropriate incident response plan while standing ready to provide a rapid cyber attack response and thorough breach notification services so any impacted individuals are alerted to potential exposure.

More than that, the organization’s leadership will gain peace of mind knowing their preparedness puts a team of specialists on their side should the worst happen.

Reducing risks with incident response planning

Most businesses today rely on digital records and communications to operate. The risk posed by a potential cyber incident, whether accidental or malicious in nature, means having a game plan to streamline the response is mission critical.

To learn more about modern incident response and breach notification services, visit our online guide at transunion.com.