Incident Response Plan
Chuck's Cyber Wall
An Incident Response Plan is often viewed as a box to be checked, but that’s a mistake.
A segment of business owners don’t realize that dealing with a breach is only part of a cyberattack, and they are surprised by the related mitigation costs. Almost without fail, those who fall into that segment have not actually implemented an Incident Response Plan. That’s because there’s more to an Incident Response Plan than just drafting a policy.
In a study of 8,100 cyber insurance claims from 2021, we discovered that the average number of claims for small businesses doubled, with average payouts exceeding $350,000, which doesn’t include the cost of ransom payments. As a result, insurance carriers require companies to improve their cybersecurity controls before providing coverage. And before paying out, insurance companies investigate to confirm that the required controls were in place at the time of the breach.
Unsurprisingly, cyber insurance claims are now being denied, leaving business owners responsible for all associated costs. And we haven’t even mentioned fines from regulatory bodies such as HIPAA, PCI, CJIS, etc.
Incident Response Plan Requirements
Let’s start with a basic definition. An Incident Response Plan is a set of tools that outline the procedures used to identify, eliminate, and recover from a cybersecurity threat. The point of these plans is to help make a quick and consistent response to an attack, minimizing the potential loss of data, resources, and customer trust.
The Six Steps of Incident Response
In this discovery phase, a Risk Assessment is performed to identify security issues, and we begin to document the roles, responsibilities, and processes needed for the plan.
Assembling a response team is vital. When a potential breach is identified, the response team gathers evidence, determines the type and severity of the incident, and documents everything. All members of the team should be named with accompanying roles.
After a security incident is identified, these are the processes required to contain the incident and prevent further damage.
Once contained, it is necessary to locate the root cause, remove the threat, and determine when to restore normal operations. All information must be thoroughly documented.
This step includes specific monitoring processes for bringing systems back online and testing to ensure the threats are eradicated.
In the final step, documentation of the incident is completed, and areas of improvement are documented with a plan to improve security.
Response is Key
The response to a breach should not be a scramble. An Incident Response Plan is part of improving cybersecurity controls, not a separate box that must be checked. The plan includes developing a response team, each member having specific tasks in the event of a breach.
Team member names, roles, and responsibilities are recorded in the Incident Response Plan, along with all relevant contact information for those inside and outside the organization. This takes away the “what do we do” moment in the face of a cyberattack and allows for a quicker response. And when it comes down to it, mitigating a breach comes down to the efficiency and speed of the response.
Of course, the size of this team varies by the size of the organization.
Testing the Plan
Every regulatory body requires testing, whether through audit procedures, emergency mode, or recovery. Incident Response is no different. Because so much of the response matters, insurance companies want to know that the staff knows how to respond if your organization gets breached.
So here’s the first part of the test – your computer locks with a ransomware message. What do you do?
Director of Cybersecurity and Marketing
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small businesses, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com