Cybersecurity Incident

How to Prepare Your Organization for a Cybersecurity Incident

By Vibha Puthran, ERMProtect, Information Security Consultant

A cybersecurity incident is an event that may indicate an organization’s data, systems, or permissions have been compromised. This could be a stolen password, a database breach, or malware affecting the normal applications of a system. Preparing for these circumstances substantially decreases damage and costs and helps get companies back to business as quickly as possible.

Here are four important steps to prepare your organization for a cybersecurity incident.

Frame an Incident Response Plan

An Incident Response Plan is a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident. The plan and its procedures help organizations reduce recovery time and mitigate further cybersecurity risk while dealing with a crisis.

Without a formal Incident Response (IR) plan in place, your organization may not know what to do to contain, clean up, and recover from attacks when detected. These plans typically spell out the duties that each person or team needs to perform during an incident. They also set out policies and procedures for communication during a breach, spelling out when incidents should be escalated to management and when external sources should be notified, such as outside legal counsel, law enforcement, third-party vendors, clients, regulators, and external stakeholders. This ensures a smooth communication process during a trying time.

Assign Roles and Responsibilities During an Incident

Each employees’ effort is important during a cybersecurity incident. Teamwork and coordination among different divisions in a company helps coordinate response activities better and more efficiently. As such, attack-based playbooks and job aids must be drafted while framing the incident response plan.

An incident manager should be assigned who can lead and coordinate the response activities during an incident. Security personnel must be assigned as incident responders and trained to investigate and recover from the incident. The CISO or equivalent must be tasked with informing the board of directors, media, and law enforcement, if required.

Segregating tasks and ensuring employees are aware of their roles during an incident will facilitate a smooth process during remediation.

Regularly Review the Incident Response Plan

Just framing the Incident Response Plan once and storing it for years is a bad idea. With newer technologies being innovated every day and evolving attacker techniques, it is important that the Incident Response Plan is reviewed and updated at least every half year or yearly. This helps ensure that the plan is up to date and that newer employees are aware of their responsibilities during an incident. Engaging with a third-party firm to review the incident response plan is highly encouraged, as its experts will have better insight into current trends and attack vectors and can advise accordingly.

Test the Incident Response Plan in Tabletop Exercises

Having fancy documents and policies in place is always nice, but unless they are tested you will never know whether they are effective. Engaging in tabletop exercises which simulate a cybersecurity incident helps evaluate the effectiveness of your plan as well as your team’s response. This fun and interactive way of learning will identify gaps in your communication plans, containment actions, and remediation activities. It helps to have an outside firm conduct this exercise, so its experts can advise on what can be done differently and improved.

ERMProtect Can Help

ERMProtect has developed Incident Response Plans and conducted Tabletop Exercises for multiple clients across 30+ industry verticals. Please contact Silka Gonzalez at or Judy Miller at or 305-447-6750 for a demo of our incident response and digital forensic services.

Vibha Puthran is an Information Security Consultant at ERMProtect Cybersecurity Solutions. She is a Certified Computer Incident Handler and has experience in incident response investigations, digital forensics, table-top exercises, and security awareness training. She has a master’s degree in Information Security from Carnegie Mellon University.

Subscribe to Our Weekly Newsleter

Intelligence and Insights

New York Cybersecurity Regulation

Tough New Amendments to New York Cybersecurity Regulation Kick in Soon

Entities must take proactive steps to assess their compliance with the amended Cybersecurity Regulation and rapidly work to address any gaps …
federal trade commission

New FTC Rule Requires Vast New Range of Businesses to Report Data Breaches

Starting May 13th, a broad new set of businesses, ranging from car dealerships to mortgage lenders, will need to report certain data breaches to the FTC …
IT Risk Assessment

Uncovering Six Common Issues That Could Impact Your IT Risk Assessment

IT Risk Assessments play a critical role in protecting organizations against ever changing cyber threats …