Getting Ready for the Next Attack – 6 Tweaks to Your Incident Response Plan

Simply put, incident response is the way a business responds to a cyber attack or data breach. An incident response plan aims to mitigate the amount of damage a company can potentially face and ensure a quick resumption of normal daily operations.

At the global level, a data breach can potentially cost about $3.86 million, and companies take an average of 69 days to contain a violation of this size quickly. In contrast, organizations that were able to contain a breach within a month saved an excess of $1 million.

What Is an Incident Management Checklist?

An incident management checklist is a list of detailed steps an organization needs to take when containing a data breach incident. This is an integral aspect of a solid Security information and event management (SIEM) system. A typical incident management checklist should include information like how a specific event should be managed and how best the knowledge of the incident should be reported out. It should also inform employees where they can report such incidents.

Irrespective of whether a company deals with dangerous or hazardous situations, having an incident management checklist is of paramount importance. An incident management plan provides the organization with a comprehensive guide on how to come to terms with incidents and problems if they occur.  Here are some tweaks for your incident response plan.

Assemble an Internal Team

Organizations that deal with a significant amount of protected information are required to go beyond just directing questions on potential breaches to the manager responsible for the Written Information Security Plan (WISP).

These organizations need to set up a formal team to evaluate and respond to violations and guide the actions of the organization after protected information has been breached.

The size of this internal team will be dependent on the geographical reach of the company and its data loss exposure. That said, an incident response team usually includes:

  1. the manager responsible for the WISP
  2. internal and outside legal counsel
  3. an information technology manager
  4. a human relations manager
  5. corporate communications personnel
  6. government affairs personnel
  7. an operations manager

Identify External Data Security Resources

At times data breaches can progress to a considerable level before the organization can locate, evaluate, hire the specialists required to help the organization meet the incident-related obligations and limit the liability.

A robust incident response plan allows for the identification of every external resource, record complete contact information and also includes a backup resource in the primary contact is unavailable.

In addition to appropriate legal counsel, the personnel below need to be identified and made available –

  1. IT and computer forensic experts that can image a compromised network, server or computer and analyze the extent of the breach and provide a quick fix.
  2. PR professionals that can assist with statements to the press and the general public. These professionals can also assist with providing contacts within the press and media in case the breach is publicized.
  3. Professionals specializing in operations that can assist with the dissemination of information related to response plan and related action items. These professionals can also help with website modifications or temporary expansion of call center operations if needed to address increased customer information requirements.
  4. Insurance personnel that can rapidly identify any breach-related benefits that are available under the general policies, specific cybersecurity policies and assist with formal notices relating to loss claims.

System Backup and Recovery Processes List

The list below can help organizations come to terms with the technical aspect of a data breach. Here are some things to include –

  1. Procedure to disconnect the internet. The plan should identify the person responsible to take the call to disconnect or to wait it out while monitoring the situation.
  2. Diagrams of the system configuration and needs to include IP addresses, device descriptions, operating systems, etc.
  3. Procedure to switch to redundant systems and preserver evidence of the breach.
  4. Detailed steps to be followed to test and verify the system backup for any compromise and to ensure that it has not been affected by systems suspected to be compromised.

The list above provides an organization with quick steps to preserve data that may have been compromised and to efficiently handle the data breach while ensuring systems are preserved via backups. Track Fundamental Breach-Related Obligations, Rights, and Deadlines

A well thought out WISP needs to identify major state and federal legal obligations that the organizations need to meet. Besides, the incidence response plan also needs to track every relevant data security deadlines.

This is especially true for security provisions in any bilateral contracts between the organization and its vendor(s) that require added data security-related notice, task completion, and reporting deadlines.

Regular Reviews and Updates to the Response Plan

Equally important than having a WISP is a response plan that is regularly reviewed, and updates included. The suggestion is that the response plan needs to be reviewed at least annually. For larger organizations, it is best to do it more frequently.

Change is external and internal personnel, expiring vendor agreements, incorporation of new businesses, additional risk profiles, and data security rights, new contracts, etc. are just some of the areas that need to be reviewed and updated. It is imperative that the incident response plan is modified to reflect the existing situation at all times.

Considering that larger multi-location companies are exposed to potentially more impactful breach-related incidents, these organizations can consider implementing incident response simulations. This will help them to test the performance of the incident response team, the management and other business units in different breach situations.

Compile an Action Item Checklist

A well thought out incident response plan, especially for larger organizations, should contain a checklist of tasks or action items that dictates the steps an organization needs to take in the aftermath of a potential information security breach. These may include –

  1. the time and date when the breach is discovered
  2. the activation of external and internal response teams based on the nature of the breach
  3. establishment of a quarantine area around breached systems and equipment to avoid any additional compromise
  4. conductive interviews internally with employees who have important information related to the breach
  5. ensuring  IT, investigation personnel are available to conduct a thorough examination of the breach and affected systems
  6. list out action items originating from the breach

It is of critical importance that the organization does not make any public statements related to the breach until it is confirmed that unauthorized access has taken place.

To conclude, organizations must avoid the mindset where they believe they are protected because a data leak or security breach incident cannot happen to them. The experience of a data breach is harsh. When a company is unprepared, the effects of the incident can be especially severe. A response plan ensures that when a breach does occur, the organization and its employees are well equipped to handle it.

Author: Limor Maayan