Why Every Business Needs a Cybersecurity Incident Response Plan

Imagine if you knew someone was about to break into your house. With adequate time to prepare, you could place locks on each room, add sensors, and lock away your most valuable possessions. 

That’s what cybersecurity incident management enables for your business  — the ability to prepare for the worst, and in so doing, minimize its impact. When it comes to cyberattacks, it’s no longer a question of if, but when for most companies.

Data breaches didn’t just increase in frequency last year but in cost too. Per IBM’s 2021 Cost of a Data Breach Report, they also carried an average cost of $4.24 million, the highest in 17 years. And in incidents where remote work was involved, the average cost was approximately $1.07 million higher. 

Globally, the average time an attacker has free reign over a cyber incident is 146 days. Some breaches can go undetected for as long as 469 days. To make matters worse, 81% of these breaches are discovered by news reports, notifications from law enforcement, or external fraud alerts. 

Basic security practices are no longer sufficient. Your business needs to be resilient. And that requires you to be proactive — you not only need to actively manage risks, threats, and vulnerabilities, but you also need to plan for the worst case scenario. 

A data breach incident response plan can ultimately be the difference between a catastrophic breach and a manageable incident with minimal damage.  By thinking about what happens in the event of an attack, you can ensure all involved parties know what to do. More importantly, a cyber security incident response process will allow you to pre-emptively implement more controls, giving yourself greater recourse if and when your business does experience an incident. 

But what’s involved in putting a plan like this in place? 

What is a Cybersecurity Incident Response Plan?

When your business suffers a security breach, an incident response plan essentially acts as a guidebook for not just the IT department but all key players in the company on how to respond to and manage the event. It clearly delineates roles, responsibilities, and a chain of communication. An effective response plan also details the security controls and protective measures to which your team has access, and how each should be applied. 

This plan typically encompasses the following scenarios: 

• Ransomware attacks
• Malware
• Data leaks
• Loss of sensitive information
• Failure of critical software/hardware infrastructure
• Unexpected/unplanned incidents

Typically a cyber incident response process is built out from one of two certified standards, NIST SP 800-61 or the SANS Incident handler’s Handbook. 

Why is an Incident Response Plan Important?

We’ve already described the increasingly-hostile threat landscape facing businesses as we move into 2022. If protecting your business is not justification enough, you must also have a plan in place to comply with most regulatory frameworks and industry standards. Even if you operate in a sector where this is not a direct requirement, you must still contend with emerging legislation such as the California Consumer Privacy Act. 

Some examples of frameworks that require an incident response plan include: 

• ISO 27001
• The Health Insurance Portability and Accountability Act (HIPAA)
• PCI DSS
• FISMA

If, after your business has suffered a breach, it is discovered that you did not have an established process in place, you may have to deal with significant regulatory penalties. This is in addition to reputational damage, loss of revenue, and litigation. In short, your business’s size and sector is largely irrelevant — you need an incident response plan. 

What Are The Phases of the Cyber Incident Response Process? 

According to NIST, the incident response process consists of four key phases. 

• Preparation: This is where you lay the groundwork for the rest of your incident response process. In addition to establishing preventative measures and controls, you must also determine what you need in terms of security tools. 
• Detection and Analysis: Once an incident has been detected, how will you evaluate the severity and root cause? 
• Containment, Eradication, and Recovery: How will your security or incident response team mitigate an emerging incident? How can you prevent it from causing further damage? Once all this is done, how do you get your systems up and running again? 
• Post-Incident Activity: This includes generating incident reports, meeting with key stakeholders to determine lessons learned and revisiting your incident response process to find opportunities for improvement.

The incident response lifecycle under SANS is more comprehensive. 

• Preparation: As with NIST, this involves laying the groundwork for an effective incident response. This includes establishing a full map of your infrastructure, identifying your most critical assets, evaluating and mitigating risk, and defining a communication plan. 
• Identification: This step is also identical to NIST’s second step. When you identify a security incident, what process and tools do you have in place for evaluating it? Who are the key stakeholders? To whom do you assign clear roles and responsibilities? 
• Containment: Address the root cause of the incident. This may involve patching a vulnerability to eliminate an entry point, removing access from a bad actor, or air gapping an infected system.
• Eradication: Next, flush the threat from your systems. The process here will vary depending on the nature of the incident; this step may not be necessary for incidents such as infrastructure failure. 
• Recovery: Finally, this step involves a return to regular business operations. 
• Lessons Learned: Reporting, meeting with stakeholders, and so on. Again, this is identical to NIST’s final step. 

As you can see, both frameworks ultimately hit the same points. The only real difference is that SANS treats containment, eradication, and recovery as three distinctive steps. As such, which one you use for your own incident response plan is largely a matter of preference and suitability. 

Do note, however, that certain standards may require you to adhere to one or the other. 

How to Create a Cyber Security Incident Response Plan

Now that we’ve covered the basics of the incident response lifecycle, it’s time to start laying your own groundwork.

Preparation

This is the most important step, and will serve as the foundation for everything else. NIST’s Computer Security Incident Handling Guide gives a comprehensive overview of everything involved in the preparatory phase. This includes, but is not limited to: 

• Ensuring your entire organization receives proper training on security and incident response policies. 
• Ensuring everyone in your organization understands their role and responsibilities in an incident. 
• Establish a comprehensive cyber incident response policy that summarizes the above.
• Drafting process documents that detail every phase of your incident response. 
• Establish a framework for running regular simulations and evaluations of your incident response plans. 
• Develop an information security policy.
• Ensure you have visibility into and control over all critical assets. 
• Ensure you have proper data hygiene, and know where your sensitive information resides. 
• Establish a risk management strategy, including regular risk assessments. 
• Deploy the proper tools for monitoring, managing, and mitigating an incident. 
• Store all data and documentation related to your incident response plan in a central location, accessible to everyone who needs the information. 
• Determine all incidents your business may potentially face, and the flags that can be used to identify an emerging incident. 
• Prepare public statements and alert templates. 
• Establish a reporting and auditing process for incidents. 
• Identifying key stakeholders, including regulatory agencies. Involve your legal and compliance teams in this stage. 

Identification/Detection & Analysis

Provided you’ve done the necessary work in the preparatory phase, this is relatively straightforward. Whether you’re leveraging automated threat intelligence or analyzing scans, you will eventually detect signs that something’s wrong. This could be unusual behavior from a user, suspicious network activity, or something else entirely. 

Once you’ve identified an emerging incident, the next step is to determine which incident response plan you should execute, and how that incident should be prioritized if there are multiple incidents taking place. You’ll also want to determine the following: 

• When the incident first occurred.
• How and where the incident originated. 
• How the incident was discovered, and by whom.
• The scope and severity of the incident’s impact. 
• Whether the incident was the result of a vulnerability being exploited. 
• Whether or not the incident has affected operations. 

Finally, once you’ve determined the source, scope, and severity of an incident, the last step is communication. Notify all relevant stakeholders, including employees, clients, leadership, and regulatory agencies.

Containment, Eradication, and Recovery

Here’s where you put the documentation you drafted in the preparatory stage into action. First, based on your evaluation in the previous step, you’ll want to determine your containment strategy. A scorched earth approach is rarely justified, and often does far more harm than good.

Instead, you should take an even-handed approach to containment — NIST has provided some criteria you can use to evaluate how extensive your response should be:

• The potential damage the incident may cause to your business.
• Whether or not there is the potential for the theft of assets.
• The importance of preserving evidence.
• Whether or not the incident has impacted service availability.
• The time and resources required to contain the incident. 
• How long your containment will last. 

Once an incident has been successfully contained, the next step is to eliminate the threat that caused it. What this involves will vary greatly depending on the exact nature of the incident. In a ransomware attack, for instance, you might wipe compromised systems and restore them from a clean backup. 

Finally, once you’ve eradicated the threat, it’s time to get back to business as usual. The most important consideration in this stage is how you’ll ensure your business will not be compromised again in a similar fashion. You should already have an idea of how the incident occurred at this stage — how will you prevent it from recurring? 

Post-Incident

You’ve contained the incident, eliminated the threat, and more or less recovered. Now it’s time for reflection. Your post-incident activities should involve the following steps: 

• Determine how you can identify and prevent incidents like this in the future.
• Assess the extent and severity of the damage caused by the incident before it was contained and mitigated. 
• Evaluate the effectiveness of your incident response plan, and determine if there are any weaknesses that need to be addressed. 
• If relevant, notify legislative or regulatory bodies, per requirements. 

Closing Thoughts

Your business faces an unprecedented array of threats. If you’re to ensure business continuity and protect sensitive assets from being compromised, an incident response plan is a must. In addition to conducting drills every few months and evaluating your plan after each incident, we advise conducting an annual review where you examine:

• Changes in business structure, regulatory climate, or infrastructure.
• Bottlenecks in your processes. 
• Effectiveness of employee training measures. 
• Ease with which people adhere to your processes and policies. 
• Emergence of new technologies or tools that may streamline or improve your incident response. 

Ultimately, if you take one insight away from reading this piece, let it be this — where cyber incidents are concerned, no business can afford to be complacent. Believing otherwise is a route to disaster. 

Are you looking for a better way to collect, analyze, and remediate risk within your organization? Book a demo and see how your company can use Centraleyes to gain a real-time snapshot into your GRC.