You have a solid incident response plan. You are confident that you have included all possible known scenarios for a cyber attack. You feel prepared. But have you tested your Cybersecurity incident response plan? Or – if you have tested it, how long has it been since you tested the incident response plan?
An incident response plan is considered by many as an essential plan which is meant to guide you in the event of a cyber-attack or data breach or if your company falls prey to any Cybersecurity incident.
As we have been told over and over again, it is not “if” the company will suffer a breach or cyberattack, but rather “when”. That incident response is going to be needed at some point. This is why the process of developing the incident response plan should also include testing it - periodically.
One way of verifying the strength of an incident response plan is to engage in what is called tabletop exercises or conference room pilots. A simulation of an attack is done by gathering IT teams, line of business managers, and other stakeholders to test situations where if a cyber incident happens, how will each party react and what will they do to address the issue? Roles and responsibilities need to be defined along with clear communication channels. Such tests may also include simulating specific types of attacks and then walking through the process of responding to these attacks. Testing an incident response plan also provides a company with a fairly accurate idea of the time they would need to respond to an attack, how long it would take for them to bring all systems up in case they went down, and how long it would take for them to react, rectify and notify.
In our role at 24By7Security, we often come in not only at the planning stage for an incident response plan but also in the invocation of the plan after the occurrence of an incident. We have seen our incident response plans activated due to various incidents such as stolen and lost devices, private information sent out by email by an employee, or an internal disruption of data or access rights by disgruntled employees. The devil is in the detail - the procedures outlined in any incident response plan should be detailed enough and flexible enough to accommodate different incidents or attacks causing the loss being addressed.