Keys to Create a Cyber Security Incident Response Plan

Create a playbook that outlines cyber incident scenarios and the responsibilities of key stakeholders.
Implement alternative communication protocols and alert systems for when normal communication channels are compromised.
Ensure your response plan includes necessary third-party services who can help reinstate your operations.

Disaster response plans are well-established in most industries. These may include procedures for maintaining or restoring normal operations interrupted by extreme weather, energy blackouts and breaks in the chain of command. It is vital that companies include potential cyber breaches in their business continuity or disaster response plans.

Yet many businesses are ill-equipped to respond to this sort of crisis. According to one survey, just 44% of businesses have established plans for preventing and responding to cyber security incidents.¹ This lack of preparedness is certainly a factor in cyber related financial losses, which topped $1 trillion globally in 2020.²

Criminals are learning to target specific types of businesses, sometimes through methods that require very little technical expertise. Instead, they can exploit human behavior by manipulating employees through social engineering tactics. This means decision-makers need to incentivize and train their employees to be watchful for signs of cyber crime.

But no organization should assume it can deflect every cyber crime attempt. Response plans that map out communications and recovery processes after a cyber incident are essential to restoring normal operations. As business operations become increasingly digitized and complex, criminals are developing new tactics that exploit these changes.

While each company’s response plan will be unique, here are some guiding principles for an effective plan.

Preparation is key to an effective response

Cyber incident response plans depend on an accurate visualization of the company landscape and the parts that would be most vulnerable in different situations. Businesses should also establish command structures and communication protocols, prioritize data and key systems, and formalize agreements with outside experts, such as lawyers or cyber recovery specialists. They should also determine which decision-makers should have access to the response plan, possibly including external stakeholders such as vendors, customers or banks.

Playbooks detailing the response should be provided to all stakeholders, perhaps in hard copy in case digital systems are compromised. Many cyber incidents are exacerbated when company leaders are simply unable to consult their playbooks or make contact with other decision makers through alternate communication channels.

"Strong communications protocols may be the most critical element of an effective cyber response effort."

Response plans should not be static. They require regular updates, especially if a company has weathered a cyber incident. The post-incident forensics provide opportunities to review the effectiveness of a company’s response, and to gather information about how and where cyber criminals were able to breach its systems. Moreover, criminals often re-target a company after one successful breach, which makes the review and revision process particularly important.

Detect the breach and contain the damage

Cyber incidents often begin as highly localized intrusions, with a single user or device being compromised and used as a jump-off for lateral movements through networks and other company systems. Rapid response that identifies and isolates the affected devices or networks can greatly contain the damage.

The response will likely hinge on how robust your security information and event management tools are, which can issue alerts when anomalous behavior is detected. When an actual incident is underway, security personnel need to determine what parts of the network are infected and which can still be protected from criminal activity. If a breach is serious and insufficiently contained, the organization must be ready to pivot quickly to damage control.

Rely on strong communication protocols

The effectiveness of internal and external communication — or lack thereof — will likely determine the overall success of the incident response and the severity of the fallout. Company decision makers and employees, external stakeholders and independent experts must be accessible through uncompromised communication channels. The organization’s legal and compliance teams may be especially critical participants, since they can help make sure remedial steps are not violating any regulations or laws.

"Every organization with a digital presence is vulnerable to cyber crime and should incorporate responses to these emergencies in their disaster response plans."

All stakeholders need regular updates, but keeping them looped in when normal communications are suspended or compromised can be a challenge.

A simple — and cost-effective — solution can be the maintenance of call trees that log additional contact information for every member of the response team. Some organizations have leveraged social media when ransomware or other malicious code has left company devices inoperable. An alert system that operates on a channel not tied to any normal organization networks can also enable effective response.

As companies come to depend on widening ecosystems of partner organizations, vendors, service providers and customers, effective communication protocols also must extend to the outside world. Response plans should include alternate methods of communicating with law enforcement, banks and all types of third parties, and contain guidance on messaging that concisely describes an incident without revealing sensitive information or engaging in speculation about the nature of the event.

Restore systems and data and remediate with forensics in mind

Once company operations are restored, all vulnerabilities exploited by the cyber criminals should be remediated. Simultaneously, a thorough report on the incident, including an assessment of how well the company responded, should be created and reviewed. An incident report based on high-quality forensics can greatly diminish future threats, especially if the organization uses the report to inform employee training and awareness education.

If data has been lost or compromised, backups and restoration are also critical, especially if any third-party assets have been affected. The primary objective of incident response is to restore normal activity as quickly as possible, but here too, forensics can provide improved solutions for storing and protecting critical company data.

Ultimately, recovery is incomplete if it does not bolster the organization’s future preparedness. While cyber incidents may be impossible to stop, the most effective companies will learn from their mistakes and use them to make their response plans even stronger.

The following actions can help most organizations future proof new or existing response plans:

Map and identify all aspects of company systems
Establish protocols for breach response
Develop a communication plan that includes contact information for law enforcement or external professional services
List all key vendors and any services needed to restore operations
Include forensic auditing processes
Test the response plan regularly, using a variety of incident scenarios