74% of organisations lack a cyber incident response plan, according to Ponemon Institute. This is an incredible figure given most boardrooms would cite cyber-attacks as the biggest risk to their business. Quite often, leaders do not know where to start when it comes to cybersecurity. With the risk feeling widespread, where do you focus your resources?

A documented cyber incident response plan is a must for every business. Having this in place will accelerate your response to a significant attack and minimise damage, and it is not as complex as you think to create one.

What is cyber incident response?

Let us first dispel a myth: this is not the sole responsibility of your security department. The entire organisation should focus on cyber incident response, from the CEO down.

Cyber incident response describes your formal process and reaction to a significant cyber-attack. This could be a data breach or a ransomware attack, for example. Or it might be an insider threat to your system and information.

Your process exists to help you identify and respond to the incident quickly, returning your business to normal operations as soon as possible. You risk much greater damage to your business if you pigeonhole this as a security issue alone. Responding to such an incident requires instant decision-making that is best made at board level.

For example, if you spot a data breach in action, you might need to instantly shut down your entire system to minimise loss. This has financial and operational implications an IT engineer or security team member cannot take responsibility for, yet delayed action costs your business.

By having a cyber incident response process in place, everyone knows what to do in the event of an attack.

So, let us look at how to create an effective process. You need two fundamental things: a cyber response team and a plan.

Building your cyber incident response team

Remember, this is business-wide, not just your security team. Depending on your business structure, we provide a recommended list of roles to include. Importantly, you must assign primary and secondary roles to ensure cover for leave and sickness.

CEO
This is crucial to ensure instant board-level decision-making from a business-wide perspective.

CISO
To guide your organisation on security risks following the incident.

CTO
To understand and advise all departments on the technical impact of the incident and how it might impact day-to-day operations.

Incident Manager
This is someone pre-assigned to lead the incident, ensuring communication is timely and appropriate, internally, and externally. They also keep track of activities and ensure correct prioritisation.

Legal
A sensitive data leak, for example, would create legal implications. Therefore, a legal team member liaises with insurance companies, should you have cyber insurance.

Data Protection Officer
When data has been exposed, they assess the nature of it. Should it include any personally identifying data, they notify the correct bodies, in line with GDPR.

Finance
Should you have to cease trading temporarily, your finance representative must consider the cost of this. They are also responsible for assessing ransomware demands.

HR
Employee communication must be carefully managed. Whilst they need to know what is going on if you stall operations, they must also be mindful of what they post on social media, for example.

Press office
They manage client-facing and public-facing communications. You might choose to inform the media the moment an incident has happened or wait until you are in control of the situation.

BCP (business continuity)
Cyber incident response work must closely align with disaster recovery and business continuity, everything is interrelated.

Security Operations
They support the initial detection and triage of an attack, supporting and advising the activities required to rapidly contain and eradicate the threat.

IT Operations
Last, but not least, the IT operation team will support any containment work required from an IT infrastructure perspective and will be responsible for the recovery of systems.

You need a diverse team prepared and ready to respond the moment something happens. Preparation is key, everyone involved (primary and secondary) must have sufficient training to confidently conduct their role. They must also be clear on their decision-making responsibility.

Regular tabletop exercises help the team work through scenarios. Together, they discuss how they would react in a real incident. Practice like this should be a continual activity.

Trained and ready for an attack, your cyber incident response team will know what to do and be less likely to panic.

How to create your cyber incident response plan

Firstly, understand the purpose of your plan. This is the document you will grab the moment someone detects a significant cyber incident. It will be familiar and always accessible to your entire incident response team.

Any example cyber incident response plan should be concise. Using bullets, tables, and workflows, your team can reference it quickly and easily. Since it links to further important documents, such as your disaster recovery plan, having all of your materials in one place is incredibly valuable.

When we help organisations create their cybersecurity incident response plan, we recommend that it should be no more than 12 pages. One crucial point: do not just create it and file it away. Your team must constantly update it. Outdated contacts and old information will cost your business dearly in the event of an attack.

Example cyber incident response plan checklist

We recommend having four key areas within your plan. Other business-specific sections might also be helpful.

1. Team roles and responsibilities

The first part of your plan documents who does what. This can seem straightforward, but make sure you consider out-of-hours incidents too. There could be certain situations where you would delegate decision-making to another role. This must be clear.

Everyone in your team must understand what they are responsible for. You do not want overlap or risk duplication at a critical moment.

2. Incident reporting procedure

Often overlooked, this part of your plan is crucial to get right. Errors can lead to further damage or miscommunication.

For example, consider an incident where you believe an attacker has gained access via a user account. Gathering everyone together on a call, including the owner of the compromised account, could enable the malicious actor to be on it too. They would then know what you had discovered and could adapt their actions, perhaps accelerating their attack or moving to a different user account.

Another harmful instant response is to restart the malfunctioning PC. This action loses the log information that your incident response team needs to understand what happened. Knowing how to avoid knee-jerk reactions like this should form part of your security awareness training.

Again, consider out-of-hours situations too. How would the reporting procedure change and what would the escalation look like?

3. Response process

Having confirmed and validated the incident, your response team must know what to do next. We use playbooks to help our clients create effective processes at this stage. Workflows are incredibly useful as they guide every eventuality:

“If this happens then do that next…”

You will want to prioritise resources to the most important areas of your business. To do this, you must understand where your critical data sits in your system. Too many businesses remain unclear on this point.

Once you have located your critical data, be clear about how the incident might risk it and scale your response accordingly. Include communication workflows in the plan too. Who should receive what information and when?

4. Audit and tracking process

Your regulatory bodies will want to know what has happened, as will insurance companies. They need to understand how you managed the situation and what you are putting in place to mitigate the risk of a future incident.

Make this part of your cyber incident response plan and gather essential information as you progress. Your outcome is far more effective.

Finally, once you have fully responded to the incident, understand when to close it. Create some parameters within your plan to determine this.

What to do next?

As a specialist cybersecurity business supporting organisations all over the world, Nettitude can help you improve your cyber incident response. Whilst prevention is always better than experiencing an attack, having an efficient process in place, with a team ready to react, drastically reduces the potential impact on your organisation.

If you need help forming and training your team or guidance on creating your cybersecurity incident response plan, we can support you. For example, we run tabletop exercises to help various stakeholder levels prepare.

Having completed an onboarding process and become familiar with your systems, we are ready to hit the ground running, should you face a serious incident. We also offer emergency incident response services if you do not know where to turn.

Should you need support, please get in touch.