When it comes to cybersecurity, it is not a question of if there will be an attack but of when. An incident response plan is a vital part of successful business operations as it helps to decrease risks and mitigate damages. In this panel recording by Dark Reading, you will hear from some experts in the field of cybersecurity including our very own CEO, Kevin O’Brien on how your organization can create an incident response plan that works.
How to create and manage an effective incident response plan in a nutshell.
- Assess and Prepare
- Define Clear Criteria
- Know Your Assets
- Start Building
- Inform Team and Practice
Assess and Prepare
Before creating an incident response plan, it is imperative to determine any known current or potential threats. You cannot see every threat upfront as cybercriminals are continually evolving their TTPs. However, the more you can identify areas of risk, the more targeted your incident response plan can be. Your assessment should not be completed alone. Gathering input from your stakeholders is a critical step in the process as you likely do not have the full knowledge necessary to create a comprehensive plan.
Define Clear Criteria
Every business’s risk tolerance is different, so there is no set point to launch an incident response plan. You and your team need to determine your risk tolerance with all legal and other implications in mind. Once you have decided this, you can set clear criteria for when to launch your plan. Communicate these criteria to everyone involved.
Know Your Assets
Taking an asset inventory can mean the difference between success and failure. For example, knowing what your business insurance does and does not cover concerning a breach can help you respond to and recuperate from an attack more quickly.
You should know what assets you have and where to find them amid a crisis. This information on critical assets should come from all stakeholders, both IT and unrelated departments, such as your legal department, vendors, and finance department.
Build Your Plan
After gathering this information, it is time to start building your plan. Your plan should:
- State at what point to put it into motion.
- List quick response steps to help minimize damage and reduce the time to detect and respond while the rest of the plan gets activated.
- Clearly define roles and responsibilities so that everyone knows what they should do.
- State where to find any resources they may need.
- Any tools you may need to begin using during an attack- For example, you should have several forms of communication outside of the attacked system.
You might not have every piece of necessary information at this time. Instead of putting it off until you do, start with a generic incident response plan and build on as you go.
Inform Your Team and Practice
After you have created your incident response plan, you need to share it with your team. You should not stop there, though. Just reading the plan will not help when an incident does occur. Instead, you want your team to know enough of what to do to get started on your incident response.
Practice in both small informal groups and your official meetings. You can discuss different potential incidents each week on a team forum or gamify the lessons for a deeper engagement.
By practicing it often and in several diverse ways, it becomes more like second nature. In the face of a threat or full-scale attack, your team will not need to read the plan step-by-step as they will already be comfortable with it to some degree.
Tips to Stay Effective
Creating an effective incident response plan is essential, as is ensuring it remains effective. The following tips can help you reach this goal.
- Be Vigilant
Complacency is an open door for cybercriminals. Businesses must remain vigilant, staying up to date on any new threats and cyber-attacks. Additionally, your plan should address current breaches and weak spots that have not yet reached that status.
- Be Adaptable
You should not view your plan as concrete. It should be fluid so that you can adapt and improve as new threats emerge. Your team must be in the mindset to make changes and improvements as necessary.
- Keep It Simple
The purpose of an incident response plan is to put it to work in the face of a breach or other threat. If the plan is too long or too complicated, setting it to work will not be possible. Try keeping your plan as easy to read and simple to follow as possible.