A cybersecurity incident is an event that may indicate an organization’s data, systems, or permissions have been compromised. This could be a stolen password, a database breach, or malware affecting the normal applications of a system. Preparing for these circumstances substantially decreases damage and costs and helps get companies back to business as quickly as possible.
Here are four important steps to prepare your organization for a cybersecurity incident.
Frame an Cybersecurity Incident Response Plan
A Cybersecurity Incident Response Plan is a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident. The plan and its procedures help organizations reduce recovery time and mitigate further cybersecurity risk while dealing with a crisis.
Without a formal Incident Response (IR) plan in place, your organization may not know what to do to contain, clean up, and recover from attacks when detected. These plans typically spell out the duties that each person or team needs to perform during an incident. They also set out policies and procedures for communication during a breach, spelling out when incidents should be escalated to management and when external sources should be notified, such as outside legal counsel, law enforcement, third-party vendors, clients, regulators, and external stakeholders. This ensures a smooth communication process during a trying time.
Assign Roles and Responsibilities During an Incident
Each employees’ effort is important during a cybersecurity incident response. Teamwork and coordination among different divisions in a company helps coordinate response activities better and more efficiently. As such, attack-based playbooks and job aids must be drafted while framing the incident response plan.
An incident manager should be assigned who can lead and coordinate the response activities during an incident. Security personnel must be assigned as incident responders and trained to investigate and recover from the incident. The CISO or equivalent must be tasked with informing the board of directors, media, and law enforcement, if required.
Segregating tasks and ensuring employees are aware of their roles during an incident will facilitate a smooth process during remediation.
Regularly Review the Cybersecurity Incident Response Plan
Just framing the Incident Response Plan once and storing it for years is a bad idea. With newer technologies being innovated every day and evolving attacker techniques, it is important that the Cybersecurity Incident Response Plan is reviewed and updated at least every half year or yearly. This helps ensure that the plan is up to date and that newer employees are aware of their responsibilities during an incident. Engaging with a third-party firm to review the incident response plan is highly encouraged, as its experts will have better insight into current trends and attack vectors and can advise accordingly.
Test the Incident Response Plan in Tabletop Exercises
Having fancy documents and policies in place is always nice, but unless they are tested you will never know whether they are effective. Engaging in tabletop exercises which simulate a cybersecurity incident helps evaluate the effectiveness of your plan as well as your team’s response. This fun and interactive way of learning will identify gaps in your communication plans, containment actions, and remediation activities. It helps to have an outside firm conduct this exercise, so its experts can advise on what can be done differently and improved.
ERMProtect Can Help
ERMProtect has developed Cybersecurity Incident Response Plans and conducted Tabletop Exercises for multiple clients across 30+ industry verticals. Please contact Silka Gonzalez at sgonzalez@ermprotect.com or Judy Miller at jmiller@ermprotect.com or 305-447-6750 for a demo of our incident response and digital forensic services.
