Why it's critical to have an incident response plan [Q&A]

Recent research carried out by IBM found that organizations with regularly tested incident response plans had a $2.66 million lower data breach cost than organizations without them.

We spoke to Adam Scamihorn, product director at InterVision, to find out why every enterprise needs to have a strong incident response plan in order to face up to growing security threats.

BN: What are the key components of an incident response plan?

AS: Incident response plans are a critical component of any company's cybersecurity strategy. These plans outline a step-by-step process to detect, respond to and recover from a cyberattack. Specific details may vary depending on an organization’s size, industry and specific risks, but incident response plans typically share a few key components.

Plans should have a clearly defined purpose and scope, including the type of incidents it covers  -- data breaches, DDoS, malware infections and network intrusions, for example. A plan should include a goals and objectives section with information on protecting sensitive data and minimizing damage, reducing downtime and restoring normal operations as quickly as possible.
Companies must form an incident response team (IRT) and add their contact information, roles and responsibilities to the incident response plan. Teams should include personnel from communications, executive management, HR, IT and legal departments.

To help IRTs determine appropriate resource allocations and responses for each incident, plans need:

• A classification system to categorize incidents based on their severity and impact.
• An outline of the procedures, tools and channels used to detect and promptly report security incidents via monitoring logs, network traffic and systems.
• A structured and phased approach to handling the situation, breaking the process down into distinct phases including preparation, identification, containment, eradication, recovery and lessons learned -- with detailed guidance on the steps and actions of each stage.
• Specific criteria and procedures for escalating an incident to higher management or external entities such as incident response service providers, law enforcement and regulatory bodies.
• Procedures for analyzing and investigating incidents, including collecting and preserving evidence, conducting forensic analysis and identifying root causes -- crucial for improving future security measures.
• Documentation of the best practices for recovering affected data, networks and systems, whether it includes restoring from backups, patching vulnerabilities or verifying system integrity before bringing it back online.

Everyone involved in the incident process, from the IRT to executives, should have clearly defined roles and responsibilities to ensure everyone understands their tasks and expectations. Because communication is critical, the plan should include a reporting process outlining internal and external expectations, including communication channels, key messages and contact lists -- and protocols for notifying stakeholders like customers, employees, the media, partners and regulators. Remember, after a breach occurs, a legal representative must become involved to ensure all public-facing communications meet relevant regulations.

Once the crisis passes, companies should conduct specific post-incident activities, including developing a post-incident analysis, documenting lessons learned, updating security policies and procedures and implementing necessary improvements to prevent similar future incidents.

Schedules are important, too. Companies should have a schedule for training and awareness programs for all employees to ensure everyone understands their roles and responsibilities and is kept up-to-date on emerging threats and best practices. Another important schedule is one for regular incident response plan testing and exercising, whether it's tabletop exercises, simulated incident scenarios or penetration testing, to validate the plan’s effectiveness and identify opportunities for improvement. The third important schedule? A process for regularly reviewing and updating the incident response plan to reflect evolving technology, emerging threats or changing organizational structure.

BN: What are some of the benefits that a plan offers?

AS: The benefits of an incident response plan are invaluable. This plan minimizes a network breach’s impact and reduces downtime by providing a roadmap for organizations to quickly respond when they identify a threat. The cost savings are enormous when organizations minimize downtime and resume normal operations with less disruption. Companies realize tremendous financial benefits when plans include artificial intelligence (AI) and automation to help detect and mitigate threats. According to the IBM report on the cost of a data breach in 2022, companies using AI and automation to detect, respond to and recover from cybercriminal activity save an average of $3 million more than organizations without that technology. A company letting its customers and stakeholders know it has an incident response plan -- and disaster recovery plan -- increases confidence and builds trust. This foresight shows the enterprise takes cyberthreats and cybersecurity seriously.

BN: How do you start to develop an incident response plan?

AS: One of the most critical components of developing a robust incident response plan is putting the right team together and getting the C-suite on board. Before you even start planning, you should conduct a risk assessment profile to identify potential threats and vulnerabilities and their possible impact on the organization.

You need to define and establish the objectives and scope of your plan -- identifying the incidents it covers, systems and data it protects, and desired outcomes in terms of minimizing damage, reducing downtime and restoring opportunities.

Once you have those pieces in place, your team should work to develop and document step-by-step procedures for each phase of the incident response process, defining clear actions, tasks and responsibilities for each phase. And since cyber incidents aren’t one-size-fits-all, you should consider the different types of breaches and tailor your procedures and responses accordingly.

The next steps mirror the key components of your incident response plan. You must establish communication protocols, test, adjust and update the plan as needed, document lessons learned, and train your employees to maintain their awareness of emergent threats and best practices.

Organizations without a chief information security officer (CISO) may need to consider the utility of a third-party managed service provider (MSP) to lead the incident response plan process. These partners can aid in strategizing as well as executing the plan, allowing you to rest assured that all disaster recovery protocols are observed.

BN: Which areas of the business need to be involved?

AS: Perhaps a better question is which area of the business shouldn't be involved or represented in your IRT. This team should include a C-suite leader, plus IT, legal, public relations and security representatives, as each department brings its own expertise. Everyone should collaborate closely to ensure smooth execution of the plan, including seamless communication of relevant information with all necessary stakeholders.

BN: How important is it to review and test plans regularly?

AS: The cybersecurity landscape constantly evolves, with new threats, attack techniques and vulnerabilities emerging regularly. Regular plan review and testing is critical because it helps IRTs and their organizations stay updated on the latest trends and adapt their response strategies accordingly. Plus, while a plan may look great on paper, only practical testing can gauge its true effectiveness and identify any bottlenecks, communications or procedural flaws that could hinder an effective response. These reviews and tests, whether via tabletop exercises or simulated scenarios, allow organizations to fine-tune processes, optimize workflows and improve response times.

Every member of the IRT benefits from consistent testing, too, as it ensures everyone knows their roles and the overall process while also helping cultivate confidence, improving coordination and collaboration, and ensuring everyone can execute their responsibilities effectively when an incident inevitably occurs. Also, many industries and regulatory frameworks require organizations to have a documented and tested incident response plan. So this regular testing demonstrates compliance and provides evidence of an organization's commitment to security and risk management.

Image credit: Momius/depositphotos.com