Cybersecurity is a vital component in every organization’s defensive strategy. In today’s ever-evolving threat landscape, security pundits agree that it is no longer a matter of “if”, but “when” your organization will become the victim of a cyber attack. If we look at the most devastating cyber incidents in recent years, large-scale ransomware attacks took systems offline in enterprises all over the world. Even if your organization is not a target, there is always the chance you may end up as collateral damage. When a cybersecurity incident occurs, you need to have a plan ready that can help you mitigate the effects of the attack.
An incident response plan is an organized approach that helps you address and manage the aftermath of a cybersecurity incident. Preparing for a cybersecurity incident involves every function of your organization and is not the sole responsibility of IT. As every function of an organization relies on technology to operate, an incident response plan must cover every facet of the organization’s operations. An effective incident response plan must include and cater to the specific needs of your employees. Everyone must know what processes and procedures to follow when a cyber incident occurs. Formulating an incident response plan must, therefore, involve the development of a structured process and include facets that are strategic, operational, and tactical in nature.
Step 1 – Strategic Planning
At the strategic level, an incident response plan must ensure an organization is fully prepared for a cybersecurity incident. The strategic planning process must be inclusive, and planners must consult members of staff from every level and department within your organization. Taking this holistic approach will ensure the incident response plan covers every process and every possible risk. The key outcomes of this strategic planning phase are:
-
The creation of policies and procedures that help employees prevent an attack and identify potential security incidents.
-
Identifying vital financial and information assets and the dependencies that exist between them.
-
Classifying possible risks and formulating the steps needed to mitigate them.
-
Developing roles and responsibilities so that everyone knows what to do when an incident occurs.
Step 2 – Operational Planning
Operational planning should underpin the strategic phase and involves the implementation of tools and processes that ensure the day-to-day operational security of your organization. As this phase predominantly consists of the deployment and management of technologies, IT typically takes the lead with support from business leaders. There are various cybersecurity defensive solutions and processes your organization can implement to strengthen your defenses. These include:
-
The deployment of technologies such as firewalls, anti-malware solutions, and intrusion prevention systems to protect the environment from security threats.
-
Cybersecurity awareness training to help enforce the policies and procedures developed during the strategic phase.
-
Implementing technologies that monitor critical systems for any possible security threats.
-
Regular security risk assessments with a proactive defensive posture that continuously scans the external environment for new threats.
As an incident response plan is a living document, it is crucial that during the operational phase, you leverage inputs from the various defensive solutions and processes. Using this information, they can tweak and adjust their incident response strategy accordingly so that they protect themselves from ever-evolving cybersecurity risks.
Step 3 – Tactical Planning
The tactical planning phase of an incident response plan should outline the process an organization will follow after a cybersecurity incident occurs. This incident response is effectively the execution of the planning done during the strategic phase taking relevant information from the operational systems. The tactical plan should include:
-
The key members of the incident response team.
-
Steps and tools you will use to identify and assess the incident.
-
The possible measures your organization will use to contain the incident.
-
The provisions your organization will put in place to protect the critical assets of the business from contamination.
-
A list of external third-parties the organization can call to assist.
-
A communication and coordination plan to ensure all parties remain aligned during the incident.
-
The process you will follow once the cybersecurity incident has been contained to forensically investigate the root cause to ensure the same event does not reoccur.
You should consider testing your organization’s incident response plan and procedures in this tactical planning phase. We have found success with using tabletop exercises to test incident response plans - they are easy and ensure that all necessary members of staff and management are involved in these tests. A tabletop exercise is a simulation of a real incident where you can interact with other members and respond to events. They allow your team members to meet in a low-stress environment, review, assess and be trained on your organization’s incident response plans and procedures.
Incident Response is Not a One-Off Exercise
Organizations that want to implement an incident response plan must understand that effective incident response is not merely a planning exercise. It is a combination of planning, processes, and technologies that together form a cohesive defense to deal with cybersecurity incidents rapidly and efficiently.