cybersecurity incident response

How to Prepare Your Organization for a Cybersecurity Incident

By Vibha Puthran, ERMProtect, Information Security Consultant

A cybersecurity incident is an event that may indicate an organization’s data, systems, or permissions have been compromised. This could be a stolen password, a database breach, or malware affecting the normal applications of a system. Preparing for these circumstances substantially decreases damage and costs and helps get companies back to business as quickly as possible.

Here are four important steps to prepare your organization for a cybersecurity incident.

Frame an Cybersecurity Incident Response Plan

A Cybersecurity Incident Response Plan is a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident. The plan and its procedures help organizations reduce recovery time and mitigate further cybersecurity risk while dealing with a crisis.

Without a formal Incident Response (IR) plan in place, your organization may not know what to do to contain, clean up, and recover from attacks when detected. These plans typically spell out the duties that each person or team needs to perform during an incident. They also set out policies and procedures for communication during a breach, spelling out when incidents should be escalated to management and when external sources should be notified, such as outside legal counsel, law enforcement, third-party vendors, clients, regulators, and external stakeholders. This ensures a smooth communication process during a trying time.

Assign Roles and Responsibilities During an Incident

Each employees’ effort is important during a cybersecurity incident response. Teamwork and coordination among different divisions in a company helps coordinate response activities better and more efficiently. As such, attack-based playbooks and job aids must be drafted while framing the incident response plan.

An incident manager should be assigned who can lead and coordinate the response activities during an incident. Security personnel must be assigned as incident responders and trained to investigate and recover from the incident. The CISO or equivalent must be tasked with informing the board of directors, media, and law enforcement, if required.

Segregating tasks and ensuring employees are aware of their roles during an incident will facilitate a smooth process during remediation.

Regularly Review the Cybersecurity Incident Response Plan

Just framing the Incident Response Plan once and storing it for years is a bad idea. With newer technologies being innovated every day and evolving attacker techniques, it is important that the Cybersecurity Incident Response Plan is reviewed and updated at least every half year or yearly. This helps ensure that the plan is up to date and that newer employees are aware of their responsibilities during an incident. Engaging with a third-party firm to review the incident response plan is highly encouraged, as its experts will have better insight into current trends and attack vectors and can advise accordingly.

Test the Incident Response Plan in Tabletop Exercises

Having fancy documents and policies in place is always nice, but unless they are tested you will never know whether they are effective. Engaging in tabletop exercises which simulate a cybersecurity incident helps evaluate the effectiveness of your plan as well as your team’s response. This fun and interactive way of learning will identify gaps in your communication plans, containment actions, and remediation activities. It helps to have an outside firm conduct this exercise, so its experts can advise on what can be done differently and improved.

ERMProtect Can Help

ERMProtect has developed Cybersecurity Incident Response Plans and conducted Tabletop Exercises for multiple clients across 30+ industry verticals. Please contact Silka Gonzalez at [email protected] or Judy Miller at [email protected] or 305-447-6750 for a demo of our incident response and digital forensic services.

Vibha Puthran is an Information Security Consultant at ERMProtect Cybersecurity Solutions. She is a Certified Computer Incident Handler and has experience in incident response investigations, digital forensics, table-top exercises, and security awareness training. She has a master’s degree in Information Security from Carnegie Mellon University.

Subscribe to Our Weekly Newsleter

Intelligence and Insights

pci dss in the cloud

How to Achieve PCI Compliance in the Cloud as Security Controls Evolve

The integration of cloud services with PCI DSS compliance is particularly crucial for enterprises that handle sensitive payment card information …
Digital Forensics Investigation

What Are the 5 Stages of a Digital Forensics Investigation?

In this article, we delve deeply into the five stages of a digital forensics investigation and provide tips on how to select the right digital forensics company …
Comprehensive Guide to Penetration Testing

A Comprehensive Guide to Penetration Testing – Types, Methods, Benefits and Best Practices

This penetration testing guide explains the different types of penetration testing, their benefits, and their purpose …