How to Design a Cyber Incident Response Plan for Your Business

Cybercrimes are constantly in the news, with giant corporations that most would believe have foolproof methods of protecting themselves from these types of attacks suffering great losses.

One of the latest large-scale incidents happened when hackers exposed personal records of more than 53 million current, former or prospective T-Mobile customers. The company announced that the breach didn’t uncover any payment information, but the extent of the damage is still considerable, and T-mobile is yet to face all the consequences.

According to a report by the Identity Theft Resource Center, data breaches are up 38% in the second quarter of 2021, with signs trending towards an all-time high for this year. This steady and constant increase in cyber attacks on businesses is obviously quite concerning, and it highlights the importance of preparedness for all companies, no matter how big or small.

Reports have shown that nearly 50% of small businesses claimed that they experienced a cyber attack last year. This is why it’s not only important to do everything you can to protect yourself from these types of attacks, but also to know what you need to do if your business becomes the victim of a cybercrime.

That’s where having a strong response plan comes into play.

A cyber incident response plan is a written set of guidelines that instructs teams on how to prepare for, identify, respond to, and how to recover from a cyber attack. A detailed response plan should include technology-related issues but also address the problems that other departments encounter, such as HR, legal and compliance, finance, customer service, or PR teams, among others.

Why Does Your Business Need a Cyber Attack Response Plan?

Time is of the essence when it comes to minimizing the consequences of a cyber incident and you want to do everything in your power to save your data. If a company does not have an incident response plan, the entire process of dealing with a cyber attack can become an even more chaotic and daunting experience that could last indefinitely.

Having a proper incident response plan in place helps companies make sure that their reaction to the attack is as swift and organized as possible.

Given that there are quite a few ways hackers can endanger your business, it’s crucial for your business to have a variety of incident response scenarios mapped out that cover the myriad types of cyber attacks that can occur.

Your response plan should indicate what steps to take in case of a data breach, an insider threat, social engineering attack, or a ransomware attack, for example, since the source of the breach and the outcome are often completely different based on the type of attack.

Be sure to identify your main cybersecurity risks and include them in your response plan to put your team in a better position to respond properly to any and all potential incidents and mitigate the risk of further damage.

How to Create Your Cyber Attack Response Plan

Before you start writing the actual guidelines, you need to go through the preparation phase. Of course, this entire process will depend on the needs of your organization; how big your business is, how many employees you have, how much sensitive data you store, etc.

However, we’re going to provide some general recommendations that should be applicable for just about any type of business putting together a cyber incident response plan.

Assemble Your Incident Response Team

As mentioned earlier, a cybersecurity incident doesn’t affect just your computers and IT infrastructure, it affects the entire company. That’s why it’s necessary to include at least one dedicated person from each department you identify as crucial when dealing with the aftermath of the attack.

Of course, you should start with your IT Security department and assign people responsible for discovering the source of the attack and containing it, as well as instructing other employees about what actions need to be taken. If you don’t have an internal cybersecurity team, identify the person in charge of contacting your outsourced security agency.

Cyber attacks can cause a lot of distress among your employees, especially if their own data or their clients’ data has been stolen. A designated HR professional should be able to handle most of the internal communications and employee concerns. Of course, people from your customer service team should deal with notifying and assisting your clients.

Considering that these types of incidents often get public attention, you should also have legal and PR professionals in the wings, ready to handle all external communications and related processes.

Identify Vulnerabilities and Specify Critical Assets

No matter how good your protective cybersecurity measures are, you need to assume that some vulnerabilities could potentially allow cybercriminals to infiltrate your network. If your biggest vulnerability is your employees, make sure to document that and improve your training and education procedures. Instruct them to keep an eye out for social engineering attacks and ensure that everyone follows the company’s password policy.

Specifying the most critical assets will allow the response team to prioritize their efforts in the event of an attack. If your team knows where you are most vulnerable and which assets you consider to be critical, they will be able to act quickly to contain and limit the consequences, since they can know what they are looking for and where they should probably be looking for it.

Identify External Cybersecurity Experts and Data Backup Resources

Whether you have your own IT security team or not, the scope of the incident could be so extensive that you would need an external expert to help audit and remedy the situation. Do your research to find a person or team you can rely on and contract their services to assist with fortifying security measures and with potential incident response aid.

You might also want to look for data backup resources and purchase enough space for all your crucial documents and information. Set up automatic backups and name the person or team in charge of this process as well.

A very important part of the entire process is responsibility; making sure that everyone in your company and beyond knows what they are responsible for and exactly what they need to do when such an event occurs.

Create a Detailed Response Plan Checklist

According to the 6-step framework that the SANS Institute published a few years back and has since remained the model for an incident response plan, other than the Preparation phase, there are another five crucial areas to plan around: Identification, Containment, Eradication, Recovery, and Lessons Learned.

• Identification: Identify the breach.
• Containment: Contain what was attacked in order to isolate the threat.
• Eradication: Remove all threats from your devices and network.
• Recovery: Restore your system and network to their pre-incident state.
• Lessons Learned: Understand what errors were made and what steps need to be taken to curtail future attacks.

Each of these phases consists of a few elements, and they often overlap, but it is essential that you go through all of them.

Design a Communications Strategy

Communication is crucial in the cyber attack aftermath because it’s the part of the attack that is going to be most visible to the public and your clients if you’re not doing it well.

When you design your crisis communication strategy, there are a few things you need to consider:

• Who do you need to notify?
• What public or government institutions do you need to contact?
• What is your deadline to report the incident?

Carefully analyze federal and state data breach laws to ensure you don’t miss any important steps when reporting the incident.

You also need to plan carefully at what point you should notify your clients, partners, vendors, and anyone else affected by the cyber attack.

If the cyber attack was serious, made the news, and a lot of different sources became aware of it, making a public statement is imperative. These types of situations need to be handled very carefully, as they are very sensitive and can lead to a tremendous amount of reputational fallout if you don’t handle it correctly.

Once again, the best course of action might be to hire an outside agency with experience dealing with these types of issues instead of trying to handle all of the PR efforts on your own.

Test and Regularly Update Your Response Plan

While it’s true that you can’t really test your incident response plan when there’s (luckily) no incident, you can create a test environment and try to execute your plan. This will allow you to notice any discrepancies or shortcomings and fix and rewrite your document accordingly and on time.

Depending on the frequency of regulatory changes and changes inside your company, revisiting the plan once or twice a year would ensure that it is always up to date and ready to be implemented when necessary. Ensure you also regularly update your security measures and keep up with the latest expert recommendations and best practices.

Naturally, if a cyber attack occurs, make sure to perform a detailed report to understand what went wrong and what changes you need to make to your plan to protect your company better from future attacks.

The Key Elements of a Cyber Incident Response Plan

Let’s look at some of the key elements a comprehensive plan should include. As always, note that some of these won’t apply to your business if you’re a smaller company, whereas some larger businesses might even need a more complex plan of action.

Identifying the source of the breach: Once you realize that your system has been breached, the first thing you need to do is to find out where the attack originated. Conduct a thorough investigation to identify the computer or network where the attack started.

Containing the breach and limiting additional damage: Computer viruses spread quickly and your security experts should do their best to isolate the infected devices and keep the damage as localized as possible.

Assessing the scope of damage: When you are certain that the breach is under control, it is time to examine your entire system and gauge the severity of the situation. The extent of damage will give you a clearer picture of what was affected by the breach and what your following actions should be.

Consulting your legal team and reporting the incident to appropriate regulatory agencies or officials: Seek advice from your legal team on complying with the laws and regulations related to a cybersecurity attack and how to report the breach. Confer with them about any legal implications that may arise from the incident.

Informing your insurer about the incident: If you have a cyber liability policy in place, contact your insurer to assist with the consequences of the attack. A comprehensive, first-party cyber liability policy covers your costs related to the incident, whereas a third-party policy covers the damages suffered by other affected parties. If you don’t have cyber insurance coverage or think you might be underinsured, now may be the right time to change that.

Notifying all affected parties: Once you have identified any third parties whose data might have been compromised, make sure to notify them right away. If you are not sure who was affected, ensure that you notify everyone who could potentially suffer any consequences from the attack.

Issuing a public statement and controlling a potential PR fallout: If the extent of the attack was significant and it affected other stakeholders in your company, the public is bound to find out about it. Make sure that you issue a timely statement to the public so that you can get ahead of and control the situation that follows.

Cleaning up your systems: When you have taken all the necessary steps to minimize the damage, you can start cleaning your systems, starting from the quarantined devices and networks that may require a complete overhaul.

Restoring lost data: Retracing the path and origin of the attack can reveal all the compromised data and indicate the approximate date of the attack. That information will help identify the most recent backup that was not affected and can be used to restore lost data that was, hopefully, backed up on other devices or systems.

Learning from the breach and strengthening cybersecurity protocols: By this time, you should already have a lot of information about what security areas you need to improve. Use the knowledge you gained during the recovery period to strengthen your policies and further educate your staff. It would also be a good idea to update your response plan accordingly and share your insights with your business network so that your partners can be prepared should they face a similar situation and need to get you involved.

Your incident response plan should be a living document that you can and should edit and refine regularly.

And while prevention and education should be the primary focus for any business looking to minimize the threat of cyber attacks, having a proper incident response plan that allows you to act swiftly and purposefully to make the best of the situation has become just as vital since, in today’s world, the chances of your company never experiencing a cyber attack are practically slim to none.