Does your Incident Response Plan Need an Update?
By Mike Raia Posted February 5, 2019
Look at your incident response plan the same way that a company should view their business plan. In the ideal world, the business plan is something that you review at least once a year to see whether you're hitting your benchmarks. This allows you to judge your progress, correct your process where it doesn't work, and create new goals as the company grows. Of course, we know that many companies don't even use their business plans. They might have been created to gain funding or in the initial planning phases, but then they sit in a file to rarely be revised or considered.
If your company isn't regularly updating your incident response plan, it's a high-risk mistake. According to the 2018 Global Cost of a Data Breach Study, there's a 27.9 percent chance that your company will experience a data breach in the next two years. What happens if you have an out of date response plan in place and your company becomes a statistic? Panic—which often leads to poor decision making and further errors.
Security breaches can be exceptionally costly, more so when they're not repaired immediately. There can also be long term costs to the company, such as a loss of customer loyalty. This, by the way, should be considered within your incident response plan—how to get in front of the information to salvage and increase your customer's trust with a prompt, transparent response.
Threats continually evolve. Your team members and company landscape also change from year to year. It's integral that your incident response plan keeps up with the external and internal changes that can mitigate its success.
Building and Updating Your Incident Response Plan
Your incident response plan should include contingencies for every known scenario. This is why it's important to keep working with the plan—known scenarios change rapidly as new threats emerge. Here's another thing that your IT team knows all too well: you need to incorporate previous mistakes into plan upgrades. You can write and launch the most thoughtful and elaborate security response, but attacks rarely follow the blueprint we think they will. It's important to include every lesson learned in the real world, as well as the information we've gleaned from others' mistakes.
Your current incident response plan might be extensive and cover a wide range of possible scenarios. That makes it more difficult to fine tune and determine where upgrades are needed.
Here are a few important things to consider every time you assess your plan:
- Critical Systems and Key Assets. Your response plan should include all of the systems that are important for the continuity of your business. As we know, these assets can change over time. It's important that new systems are identified and prioritized in your plan. This way, your response team will always have an up to date record and exact protocol to follow for each asset that might be compromised.
- Updated Possible Threats. Currently, cryptojacking is the most common threat facing most businesses. A few years ago, it was ransomware. Each cybersecurity threat will need to be guarded against in specific ways. Since hackers are constantly coming up with new ways to beat security measures, your plan needs to evolve to update individual threats and include comprehensive plans for defense. You should also identify the level of the threat and the team members involved in the response - obviously, some threats don't warrant the same level of response as others will.
- Keep Your Internal List of Contacts Current. Each type of breach should trigger an individual response. This might start with the notification of your response team members and branch out to applicable executives, shareholders, employees, and possibly even your public relations team to handle the message to the media and personal contact to impacted customers. To get ahead of an emergency situation, drafting email templates to each party can cut down time and help your team to stay on message.
- Don't Forget to Address Internal Security Issues. If your entire plan centers on nefarious external forces, you're missing the forest for the trees. Employees continue to pose the biggest security threat to your company, through human error and malicious intent. Employee access should be monitored and tracked, especially with regard to those who have clearance for sensitive records and critical systems. It's also important that you maintain security protocols to limit access immediately when employees are terminated. Often these breaches are the result of simple error or negligence. Your plan should include a clear protocol to determine where the security issue originated. This prevents reoccurrence and aids in future employee training.
Automate Your Incident Management Process
Any time there's a security incident, the first priority is in making sure the business can operate effectively to serve the client base. You don't want your website offline for an extended period of time. Your business can be crippled when integral processes are compromised to the point that you'll lose hours or even days.
Priority one is making sure that you can return your business to full function. The steps that follow include documenting the incident, repairing any damage, and handling the communications so that your incident doesn't become a public relation nightmare.
Your incident response plan has a lot of moving parts and it all needs to be carried out impeccably and immediately. This is why an automated incident management process makes the most sense for your business. Automation of this process allows for quicker response time and less room for error.
In the case of a threat, your automated process would bucket the threat by the level of the breach. For instance, a critical breach would go directly to the highest level response team for immediate action. Each action in the workflow would set off the next response to make certain that the proper actions are taken.
If you're not prepared for a security attack, the initial reaction is often wrong. There are adrenaline rushes and panic involved in trying to mitigate threats without warning or protocol. An automated response allows your team to follow a set protocol that can help them think through the entire process in a more thorough and efficient manner.