An effective cyber incident response plan can be a deal-breaker for your organisation. Security incidents are becoming more common each year, with growing numbers of cyber criminals crippling systems in their bid to steal sensitive information and turn a profit.
Although organisations are rightly investing significant resources into threat prevention, they must also consider what happens when a cyber criminal breaches their systems.
Accepting this as a possibility can help you prepare for when disaster strikes, ensuring a rapid and coordinated response. According to an IBM study, organisations that implement a cyber incident response plan can save $2.66 million (about £2.2 million) in recovery costs.
But implementing a cyber incident response plan isn’t easy, and a poorly considered plan isn’t much better than a non-existent one.
Our consultants see similar problems time and again when reviewing organisations’ cyber security response plans. Here are ten common issues that we find.
1. Key stakeholders in the organisation haven’t actually read the cyber incident response plan.
The primary benefit of a cyber incident response plan is that everyone understands their responsibilities in the event of a security incident.
If they need to familiarise themselves with the document after learning of a cyber security breach, it will delay your ability to act quickly and undermine your response efforts.
2. Members of the cyber incident response team have read the plan but they don’t understand their roles and responsibilities.
As with the previous point, the plan should be ready to execute immediately, so this is not the time for awareness training or recaps.
3. The organisation believes that IT are responsible for incident response.
In reality, various responsibilities will fall across different departments, depending on their expertise and the nature of the incident.
4. The incident response plan lacks a communications strategy.
One of the most important parts of any plan is to share information and knowledge with stakeholders.
5. One person is responsible for too much.
In many of the exercises we review, a single individual leads the response and is responsible for every aspect of it. Organisations must ensure resiliency when it comes to resource. As part of that, you should consider what happens if the person in charge is unavailable.
6. The incident response team doesn’t see the big picture.
It’s all too common for the cyber incident response team to focus on the immediate issue without considering the implications of their actions or decisions. For every action you take, there will be consequences, and it could affect operations, finances and the organisation’s reputation.
7. There is a lack of digital forensic readiness or training.
During an incident, it might be necessary to conduct a digital forensic assessment to investigate an issue or collect evidence to support prosecution of a guilty party. If the incident response team are not properly trained to acquire, handle, or analyse the data, there is a risk that the integrity of the evidence is compromised.
8. There is no process for escalating the incident.
Most organisations we work with don’t have a procedure for escalating a cyber security incident to the response team. There is nothing the team can do to respond to a data breach if they don’t know about it. It’s why frontline staff must be trained on what to look for and how to act if they suspect that a cyber security incident has occured.
9. The organisation fails to align the cyber incident response plan, business continuity plan and disaster recovery plan.
These plans are related but they’re not the same and can’t be repurposed. It might be necessary to activate any one of these plans in the event of a cyber security incident.
10. Organisations do not review relevant compliance or legal requirements when dealing with a cyber security incident.
This can include reporting data breaches to relevant supervisory authorities, depending on where the organisation is located. Any compliance or legal requirements must be considered and referenced within the cyber incident response plan.
Cyber incident response with GRCI Law
Creating a cyber incident response plan can be harder than it looks, and it’s why we always recommend seeking expert advice.
The last thing you need is to invest in a response plan only to realise when you need it most that it doesn’t properly work.
If you’re looking to avoid that, GRCI Law’s Cyber Incident Response Tabletop Exercises are an ideal resource.
These exercises will highlight any deficiencies, recommend improvements and ensure that everyone knows what to do in the event of a cyber security incident.
This service provides your organisation with an experienced, independent CIR team, who will assess your current CIR capabilities in line with industry-recognised good practice.
This is a bespoke service, which is tailored for your organisation. We understand that no two organisations are the same and our consultancy team will work with you to ensure that these exercises address the risks that your organisation faces.
Get in touch with our team today to find out how you can get started.
