An effective cyber incident response plan might be the difference between your organisation suffering a slight disruption following a data breach and it collapsing into financial ruin.
Security incidents are increasing in size and sophistication each year, with organisations across all sectors coming under attack. Many have failed to control the damage in time and faced insurmountable costs addressing compromised data, customer loss and regulatory penalties.
But with a cyber incident response plan, you have a blueprint for a swift and effective response. According to an IBM study, organisations that implement a cyber incident response plan save $2.66 million (about £2.2 million).
It’s a hefty sum that could prove vital as you attempt to navigate the aftershocks of a data breach.
What is a cyber incident response plan?
A cyber incident response plan is a document that outlines what an organisation should do in the event of a data breach or other form of security incident.
These plans are a crucial part of an organisation’s information security and business continuity measures given the surging threat of cyber crime.
A 2022 UK government report found that 39% of organisations had suffered a data breach in the previous year.
Meanwhile, tech giant Cisco estimated that the amount of money organisations spend recovering from cyber attacks will increase by 75% in the five-year period from 2021 to 2025, reaching as much as $10.5 trillion (about £9.2 trillion).
By implementing a cyber incident response plan, organisations understand that information security risks are an inevitable part of modern business and that they must take pre-emptive measures to contain the threat.
6 phases of the cyber incident response lifecycle
The most common cyber incident response framework is NIST’s Computer Security Incident Handling Guide. It contains six phases that guide organisations through the process:
- Lessons learned
Although each of these stages contains complex and interrelated actions, the documented plan should provide simple and precise guidance, free from jargon.
This enables stakeholders to make decisions quickly and identify a plan of action without having to sift through lengthy technical details.
Let’s now look at what each of those six phases should cover.
An effective incident response plan provides guidelines for the steps an organisation should take well before a disruptive incident occurs. The plan begins by outlining how an organisation should mitigate the risk of a data breach.
The preparation phase should align organisational policies on data protection with security goals and technological defences.
At a minimum, you must ensure that employees have received information security staff awareness training. Ideally, they should also receive specific training on incident response.
Likewise, you should perform an audit of your systems to ensure that your sensitive data is adequately protected.
The second phrase of incident response planning relates to the steps an organisation takes to identify when its systems have been compromised.
If you can spot an intrusion quickly, you are better equipped to thwart the attack. Even if that’s not possible, you can expedite the response effort and minimise the damage, saving you time and money.
When identifying a security incident, you should answer the following questions:
- Who discovered the breach?
- What is the extent of the breach?
- Is it affecting our operations?
- What is the source of the compromise?
The third phase covers the steps you should take to mitigate the damage once you have been breached. Depending on the nature of the incident, this could mean taking actions to remove the criminal hacker from your systems or to isolate the already compromised data.
During this phase, you should consider whether systems need to be taken offline or deleted, and whether there are immediate steps you can take to close vulnerabilities.
Phase four of a cyber incident response plan is about rectifying the weakness that enabled the data breach to occur. The specifics will again depend on how the type of incident, but during this stage, you must identify how the information was compromised and how you can eradicate the risk.
If you were infected by malware, for example, you would remove the malicious software and isolate the affected parts of your organisation. Meanwhile, if the attack occurred because a criminal hacker compromised an employee’s login credentials, you would freeze their account.
Once you have eradicated the threat, you can move on to the penultimate stage of cyber incident response, which is to get your systems back online.
This will be more complex in some instances than others, but it’s an essential part of the process and should be treated carefully. Without a proper recovery process, you could remain vulnerable to similar attacks, which will compound the damage.
As part of the recovery process, you should test and monitor the affected systems once you have remediated the situation. This ensures that the measures you put in place work as intended, and it gives you the opportunity to correct any mistakes.
- Lessons learned
The final phase of the cyber incident response plan is to review the incident and to identify opportunities for improvement. Everyone in your incident response team should meet to evaluate parts of the plan that worked and problems that you encountered.
You should assess every step of the process, discussing what happened, why it happened, what you did to contain the situation and what could have been done differently. For example, were there any gaps in the plan, and was the documentation effective and easy to understand?
This conversation should take place between one and two weeks after the security incident occurred – long enough to consider situation in hindsight but soon enough to ensure that it remains fresh in everyone’s memory.
The purpose of this phase isn’t to call out team members for mistakes they made, but to ensure that inefficiencies don’t occur in the future. If there were failures in the process, it suggests that either the documentation wasn’t clear, appropriate actions weren’t outlined or staff training wasn’t adequate.
What is a cyber incident response team?
The cyber incident response team are the personnel who oversee the plan. The team should be headed by a manager, who coordinates the plan and delegates various other tasks.
Beneath them is a group leader or leaders, who oversee specific areas of the response plan. They will work directly with incident handlers, who are floor-level managers who provide direct instructions to employees.
Elsewhere, the team should include hotline, helpdesk or triage staff to answer questions from stakeholders.
It should also include experts who can help design the incident response plan. This includes artifact analysis staff, who review the function, architecture and design of software, as well as platform specialists, who monitor and analyse the functionality of platforms and applications.
Finally, the team should contain experts who train employees on how to carry out the necessary steps in the incident response plan.
The skills and experience needed by your team will depend on the nature of your business and the complexity of your in-house incident response capabilities.
However, as the NCSC (National Cyber Security Centre) notes, there are some competencies that organisations should look out for when building their team.
The first is your team’s ability to remain aware of cyber security news and trends. If you’re familiar with emerging trends in the way criminals target organisations, you can pre-empt an attack and implement defence and response measures.
Another key experience is to perform trial runs of your incident response measures based on real-world scenarios.
You might do a full-scale trial or look at specific elements of the response. For example, you might focus on the technical elements of your plan, the way management responds or the logistics of a plan among the entire workforce.
How to build a cyber incident response team
There are three ways an organisation can create its team:
- Internally resourced: The organisation assigns roles to its employees and conducts all incident response activities itself.
- Partially outsourced: The organisation hires a third party to oversee certain elements of its incident response activities, and lets its own employees cover all other aspects of the plan. For example, it could appoint experts to control the management aspects and use its employees for the technical aspects, or have hotline operators and helpdesk staff on retainer.
- Fully outsourced: The organisation subcontracts all elements of its incident response activities. A single third party might manage every aspect, or the organisation could appoint different specialists for each task.
Need an incident response provider?
Not every organisation will have the expertise and resources required to create an in-house cyber incident response team. That’s where GRCI Law’s team of experts can help.
Our Cyber Incident Response Readiness Assessment provides an impartial review of your organisation’s ability to protect against, detect and respond to a cyber security incident.
The assessment looks at your organisation’s cyber incident response capabilities, threat and vulnerability management, event logging and monitoring, and business continuity.
We understand that no two organisations are the same and our consultancy team will work with you to ensure that we provide advice that is relevant to your organisation’s size, sector and objectives.