By: Craig Badrick on February 24th, 2020

Print

Building an Incident Response Plan

incident bubblesAn incident response plan is the best way for an organization to mitigate damage and stay protected in the event of a successful cyber attack.

Nowadays, most organizations rely on a strong network to run the majority of daily business operations. But while the shift to a digital landscape has brought efficiency, productivity, and new opportunities, security concerns have also diversified. Relying on digital operations means your business is inherently exposed to a constantly growing number of cyber threats. 

With the annual cost of cyber crimes totaling $2 trillion in 2019 — and expected to grow to over $6 trillion by 2021 — it is more important than ever that businesses take proactive steps to reduce the potential impact of an attack. These steps go beyond simply investing in cybersecurity solutions that are designed to prevent an attack from occurring. Unfortunately, even with the best security solutions, there is still always a risk of attack. That’s why it is so important to have a sophisticated, strategic incident response plan in place for cyber attacks that do happen to slip through the cracks.

 

What Is an Incident Response Plan?

An incident response plan is a set of instructions that is designed to help IT staff detect, respond to, and recover from security incidents. When it comes to cybersecurity, the approach should always be to “hope for the best and plan for the worst.” Incident response plans are an integral element of those worst-case scenario preparations. 

Essentially, an incident response plan prepares a business for potential crises to come. The premise is that the plan should include a course of action for all significant incidents so that as soon as a threat emerges, you are prepared to take steps to stop, control, and contain the incident. 

While the specifics of incident response plans vary for every organization and for each threat outlined in the plan, there are some basic guidelines that can guide the general approach.

 

Building an Incident Response Plan

The more effort that is put into creating a robust incident response plan, the more useful that plan will be if disaster ever strikes. That not only means devoting sufficient time and energy when first developing the plan, but also testing it regularly and adjusting it to account for any weaknesses that may become apparent. 

The basic steps for building a plan are:

  1. Determine what’s at stake. Before you begin setting out specific instructions in an incident response plan, you should begin by conducting an audit of your assets and identify a quantifiable value for each. This helps you prioritize which assets require additional security and which systems might cause further problems if they are attacked. 
  2. Evaluate your risk potential. This is the stage that you want to dedicate as much time and thought as possible to understand which areas of your organization might need extra attention. To determine your risk potential, you need to take a hard look at the possible vulnerabilities your organization might be dealing with and the challenges you might be facing. 
  3. Start creating a plan of action. Action plans, sometimes called play books, are the core element of the incident response plan. Your plan should include all of the steps that the incident response team needs to follow in order to handle the incident. The action plan should lay out the guidelines for dealing with the incident in six distinct stages, each of which is briefly described below. 

    • Preparation: Review and codify the security policy underlying your incident response plan.
    • Identification: Detect deviations from normal operations in systems within your business and determine if those deviations represent actual security incidents. 
    • Containment: Determine strategies for both short-term and long-term containment of the incident to prevent it from causing further damage. 
    • Eradication: Identify and address the root cause of the attack to prevent similar future incidents.
    • Recovery: Carefully bring impacted systems back online and return to operations. 
    • Post-incident handling: Make sure you have documented all the relevant information related to the incident. Perform a further investigation of the incident — including how you dealt with it — so that you can see where the response team was effective and where it needs to improve.
       
  4. Create an incident response team. These are the people who will lead the charge against any incident that occurs. A standard team should include: an incident response manager, security analysts, threat researchers, an IT director, and a documentation leader. 
  5. Train your employees. An incident response plan is only useful if your employees know how to use it. Train your employees regularly so that they are prepared to implement the plan if disaster strikes. 

A Partner in Planning

Clearly, it is important for businesses to engage in thorough IT planning so that they are prepared to tackle any cybersecurity incident that may occur. That planning requires the devotion of substantial time and effort, as well as an intimate understanding of your entire IT environment and cybersecurity landscape. 

If you have a small business or just want to create an incident response plan alongside a trusted IT partner, joining forces with a managed service provider can be a great option. The cybersecurity experts at Turn-key Technologies, Inc. (TTI) are ready to guide you through and ensure you have an appropriate plan in place for any incidents. Get in touch today to set up a free consultation.