In today’s highly complex cybersecurity landscape, you must have a true plan to implement when the time comes, and an incident occurs. An incident response plan is a written and tested set of policies and procedures that you can use to report, identify, contain, and eliminate cyberattacks. The purpose of the incident response plan is to enable an organization to quickly detect and halt attacks, minimize damages, expedite recovery, and prevent future attacks of the same type from happening again.
Do you have one that you share—and review regularly—with your customers? If not, I suggest you create one as soon as possible. You don’t want to get caught without one, jeopardizing your business relationship and maybe even your reputation. And even if you do have one, here’s a sample incident response plan outline to get you started or to compare with your current plan.
Identify, Assess and Contain
This first step is critical to gaining the trust of your customer and minimizing potential damage caused by the breach.
- Identify the internal and external team to work the response (CEO, CFO, insurance, lawyers, etc.)
- Identify what happened and where it came from
- Contain and protect other systems and critical components
- Assess the impact in terms of loss (confidential information, financial impact, reputation loss, etc.)
- Try to limit incident impact on the organization and their customers
Recovery and Mitigation
Next, the steps you take to recover and mitigate damage will depend upon the severity of the attack—how far-reaching its effects are and how many users, systems and locations are impacted.
- Recover from the incident: Restore the systems and or the environment back to a state of normalcy
- Mitigate damage caused by the incident: i.e., how did you reduce the loss or impact due to the incident to help ensure it does not happen again
- Determine how the incident occurred
- Determine who initiated the incident
Notification (as required):
In some cases, authorities, regulatory agencies, or other organizations may need to be notified, particularly if any sensitive data may be at risk or if the scope of the attack cannot be fully known immediately.
- Notify any required regulatory agencies
- Notify law enforcement agencies (as appropriate)
- Notify affected customers, vendors, and partners
It’s important to document every step and every action taken during your response. Investigators, lawyers, or regulators may need this information later and it also serves to protect you from potential liability. You want to be able to prove what you did and didn’t do.
- Document all events surrounding the incident including potential threats and organization’s response actions
- Document all steps taken with the incident response report
- Update your incident response plan with any new lessons learned
Once you complete your plan, test it. Perform tabletop exercises or even “stage” an incident to better prepare you and your team in case of an emergency. You can never be 100% ready, but it is better than being caught off guard in a real scenario with no one knowing what to do or how to react.
Finally, instill in your customers and your own team that you should never assume that nothing is going to happen, or that you will have time to do it later. The last thing you want as a trusted IT and business partner is to be caught unprepared for one of your clients.
To quote Benjamin Franklin: “If you fail to plan, you are planning to fail!”
Want more ideas on how to plan for a cybersecurity incident?
Check out CompTIA's Data Breach Response Plan!