Typically, most cybersecurity measures organizations leverage are preventative. Obviously, every business desires to stop a breach before it ever happens. However, with cyberthreats as dynamic as they are, you can be as preventative as possible, but still fall victim to an attack. Cybercrime damages are expected to reach $6 trillion in 2021. This is where your Incident Response Plan comes in. Having this plan will give you added confidence about your overall security posture, as you are both actively trying to prevent attacks, but are also prepared when one does occur.
Preparation of the Incident Response Plan
The Incident Response Plan (IRP) is exactly what it sounds like – it is your organization’s plan for what you will do in the event of a cybersecurity breach. Your executive team should collaborate with your I.T. and cybersecurity teams so that you all have a good understanding of your technology infrastructure as it relates to a potential attack and ensure that everyone understands the expectations for your reaction to a security breach.
The IRP is unique to each organization, but there are some key items to include for everyone.
- Clearly define roles for response to the breach – decide who will be in charge of what aspect of the response to and remediation of the attack.
- Outline priority systems – If you are in the manufacturing industry, your priority systems may look different than those who work in a typical office building, for example. Establish what systems need to be back online first after the attack.
- Understand relationships between systems – If one system in your technology infrastructure needs another to function, it won’t be of much use to you if one comes back online after a breach, but the other is still offline. Establish an understanding of how your entire infrastructure works together to know how a breach will affect you, and how you will respond to it.
- Order of restoration procedures – Once you understand your various systems and their relationships, make a plan of the order in which you will be bringing systems back online.
When a Breach Occurs...
Once you have your overall response and procedural order planned out, when a breach occurs, you will need to detect where it occurred and analyze what the vulnerability in your infrastructure was, in addition to the steps above. This allows for both the containment and eradication of the threat, so that you can move forward from the breach. An important part of this step is ensuring the network is “clean” (I.e. that the breach has been eradicated) before bringing systems back online.
After the incident, you should discuss the cause of the attack (such as an end user clicking a malicious link, or a firewall breach), and go over steps to prevent the cause from happening again. These preventions should then be implemented into your incident response plan, as well as into your overall security operations.
Incident Response Plan Testing Is Key
It is important to test and refresh your incident response plan regularly, regardless of whether an attack has occurred. If you do “fire drills” of your IRP, you can discover hiccups in the plan when you can fix them, not when you are trying to remediate an actual cyberattack. Many organization's claim to have an IRP in place; however, it's not enough to just create the plan. You must test it to ensure all parties are comfortable with and understand their part in the process and update it consistently, especially as you add new tools or remove tools from the organization. Test multiple kinds of scenarios, including when certain individuals are out of the office, so that you can be prepared for any situation.
While preventative cybersecurity measures are an excellent and important part of your cybersecurity plan, being prepared for the worst allows you to minimize damage from a cyberattack, and feel that much more prepared in the ever-evolving world of cyberthreats.
