The 6 Phases of a Cyber Incident Response Plan

A cyber incident response plan is a document outlining what an organisation should do in the event of a data breach or other form of security incident.

They are a crucial part of an organisation’s information security and business continuity plan given the surging threat of cyber crime.

A 2022 UK government report found that 39% of organisations had suffered a data breach in the previous year.

Meanwhile, tech giant Cisco estimated that the amount of money organisations spend recovering from cyber attacks will increase by 75% in the five-year period from 2021 to 2025, reaching as much as $10.5 trillion (about £9.2 trillion).

By implementing a cyber incident response plan, organisations understand that information security risks are an inevitable part of modern business and that they must take pre-emptive measures to contain the threat.

How to create a cyber incident response plan

Many organisations use NIST’s Computer Security Incident Handling Guide as the basis of their incident response plan.

It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.

Although each of those stages will contain complex and interrelated actions, the plan itself should provide simple and precise guidance, free from jargon. This enables stakeholders to make decisions quickly and identify a plan of action without having to sift through lengthy technical details.

Let’s now look at what each of those six phases should cover.

1. Preparation

An effective incident response plan provides guidelines for the steps an organisation should take well before a disruptive incident occurs. The plan begins by outlining how an organisation should mitigate the risk of a data breach.

The preparation phase should align organisational policies on data protection with security goals and technological defences.

At a minimum, you must ensure that employees have received information security staff awareness training. Ideally, they should also receive specific training on incident response.

Likewise, you should perform an audit of your systems to ensure that your sensitive data is adequately protected.

2. Identification

The second phrase of incident response planning relates to the steps an organisation takes to identify when its systems have been compromised.

If you can spot an intrusion quickly, you are better equipped to thwart the attack. Even if that’s not possible, you can expedite the response effort and minimise the damage, saving you time and money.

When identifying a security incident, you should answer the following questions:

  • Who discovered the breach?
  • What is the extent of the breach?
  • Is it affecting our operations?
  • What is the source of the compromise?

3. Containment

The third phase covers the steps you should take to mitigate the damage once you have been breached. Depending on the nature of the incident, this could mean taking actions to remove the criminal hacker from your systems or to isolate the already compromised data.

During this phase, you should consider whether systems need to be taken offline or deleted, and whether there are immediate steps you can take to close vulnerabilities.

4. Eradication

Phase four of a cyber incident response plan is about rectifying the weakness that enabled the data breach to occur. The specifics will again depend on how the type of incident, but during this stage, you must identify how the information was compromised and how you can eradicate the risk.

If you were infected by malware, for example, you would remove the malicious software and isolate the affected parts of your organisation. Meanwhile, if the attack occurred because a criminal hacker compromised an employee’s login credentials, you would freeze their account.

5. Recovery

Once you have eradicated the threat, you can move on to the penultimate stage of cyber incident response, which is to get your systems back online.

This will be more complex in some instances than others, but it’s an essential part of the process and should be treated carefully. Without a proper recovery process, you could remain vulnerable to similar attacks, which will compound the damage.

As part of the recovery process, you should test and monitor the affected systems once you have remediated the situation. This ensures that the measures you put in place work as intended, and it gives you the opportunity to correct any mistakes.

6. Lessons learned

The final phase of the cyber incident response plan is to review the incident and to identify opportunities for improvement. Everyone in your incident response team should meet to evaluate parts of the plan that worked and problems that you encountered.

You should assess every step of the process, discussing what happened, why it happened, what you did to contain the situation and what could have been done differently. For example, were there any gaps in the plan, and was the documentation effective and easy to understand?

This conversation should take place between one and two weeks after the security incident occurred – long enough to consider situation in hindsight but soon enough to ensure that it remains fresh in everyone’s memory.

The purpose of this phase isn’t to call out team members for mistakes they made, but to ensure that inefficiencies don’t occur in the future. If there were failures in the process, it suggests that either the documentation wasn’t clear, appropriate actions weren’t outlined or staff training wasn’t adequate.

Assess your cyber incident response readiness

If you’re looking for guidance on how to prevent cyber security incidents, GRCI Law is here to help.

Our Cyber Incident Response Readiness Assessment provides an impartial review of your organisation’s ability to protect against, detect and respond to a cyber security incident.

The assessment looks at your organisation’s cyber incident response capabilities, threat and vulnerability management, event logging and monitoring, and business continuity.

We understand that no two organisations are the same and our consultancy team will work with you to ensure that we provide advice that is relevant to your organisation’s size, sector and objectives.