Fail to prepare and prepare to…you know how it goes.
Cyber attacks may be inevitable, but don’t underestimate the importance of a plan to follow during and after a breach. Enter incident response – a strategic approach that helps prevent (or, at the very least, limit) damage during and after cyber attacks. Effective incident response gives you the tools to get your business back up and running as quickly as possible.
A stellar incident response plan should include a playbook for who will do what during an attack and map out how you will communicate with customers and meet regulatory requirements.
Whether you’re starting from scratch or you’ve already made a plan, ensuring you are incident response-ready can be daunting. To lend a helping hand, Assured Intelligence has quizzed experts on what should be included as part of the perfect strategy.
Read on to find out what an excellent cyber incident response plan looks like.
Part of your incident response plan should include the ability to respond quickly. Time is crucial because every minute counts once you’ve been hacked, says Sabastian Hague, defensive content lead at Hack The Box.
With this in mind, he says every incident response plan must focus on finding the breach as quickly as possible and containing it effectively.
Good PR and a communications plan are important factors to consider following an attack. Mishandling communications could lead to major repercussions that can affect customer confidence, shareholder value and, ultimately, the viability of the business in the future, says Ryan Howell, senior team lead and security consultant at Prism Infosec.
“Drip-feeding information can show you are endeavouring to be open and honest about the breach” Ryan Howell
“All too often, organisations think controlling the narrative is the key objective,” he says. In reality, ‘proactive’ businesses that ensure they update customers in real-time as more information becomes known tend to come out with their reputations intact, he points out.
He cites the example of the Royal Mail incident at the beginning of this year, which shows “how drip-feeding information can show you are endeavouring to be open and honest about the breach.”
As part of communicating during incident response, you should also ensure you meet regulatory requirements, informing all relevant people of the breach within the set timeframes. UK regulator the Information Commissioner’s Office states that you should educate people on the “likely consequences of a data breach” and “the measures taken to mitigate any possible adverse effects,” says Howell. “Yet very few organisations do this, with most disclosing as little as possible – which is counter-productive.”
Cyber insurance is another element that needs to be considered as part of incident response. “It is common that a cyber insurance policy would cover the incident response, forensic investigation and recovery costs associated with an attack,” says Tom de Laet, incident response team lead EMEA at Check Point Software Technologies.
When winding insurance into your incident response, knowing what cover the company has, any relevant exclusions and policy terms is critical, says Edward Spencer, senior counsel at law firm Taylor Wessing’s cyber team. “Ensuring the incident response plan accords with the policy provisions – which may change on renewal – will limit problems if a claim needs to be made.”
You don’t want to lose access to your documents, either. Make sure a copy of the policy is available on a separate system or in hard copy, Spencer advises. “It is important to know who to make the relevant notification to very quickly. Waiting for the broker to confirm who the incident response provider is [provides] an unnecessary delay,” he adds. Good brokers will have ensured their clients are ready to hit the ground running and made the appropriate introductions in preparation for whenever a situation arises.
Once you’ve looked into the various aspects needed in incident response and added them to your budget, it’s time to create the plan. So, where do you start?
Howell says the UK National Cyber Security Centre (NCSC) provides some “excellent advice” on what should be included. “The preparation phase lays the foundations by outlining the tooling, resources, training and teams who need to be involved when an incident occurs.”
The responsibility for incident response depends on your organisation’s size, scope and structure. Ultimately, the board is responsible for cybersecurity, but everyone needs to work together for a successful response, says Hague. “This includes technical, PR, and legal teams, which creates a comprehensive, company-wide approach to potential threats.”
The incident response plan should set out a recommended outline for assessing, managing and responding to a security incident, says Matt Quezada, senior associate at Taylor Wessing’s cyber team.
The plan should include the contact details and the roles and responsibilities of your incident response team, including external advisers such as lawyers, forensic IT specialists, reputation management and insurers, says Quezada.
A response plan should also cover the full incident timeframe, clearly outlining the required actions. Immediate actions include notifying and assembling the incident response team, notifying insurers, initial assessment of the security incident and considering whether to seek assistance from law enforcement, says Quezada.
There are also several variables to consider ahead of time and ‘what if?’ questions to ask leadership, legal and technical teams, says Chris Harris, EMEA technical associate vice president of data security at Thales. These include whether or not to pay a ransom, he says.
Your incident response plan should fit with the requirements of your specific business, and it’s important to test it before you need it. As part of this, you should start practising your response to a cyber attack. The NCSC has put together a guide for organisations on a budget called ‘exercise in a box’, which is worth exploring.
“Tabletop exercises look a lot like a board game…senior leaders run through cyber incident scenarios” Elliott Wilkes
It’s a good idea to start with a “tabletop exercise”, says Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems. “This looks a lot like a board game, but instead of buying property or solving a murder mystery, it is a role-playing exercise that sees senior leaders run through scenarios and take action based on different cyber incident circumstances.”
Hague says they can be good fun, and you should try to make these exercises enjoyable. He advises thinking of the exercise as a video game tutorial. “The more interactive and engaging it is, the better the learning and retention.”
Incident response is essential, and it makes sense to get ahead before you are breached. By preparing correctly for what really is inevitable, your business can ensure it is robust enough to withstand a cyber attack. Or, in other words, prepare not to fail.
1. Stay calm. Panic can make a bad situation worse, says Hague. “Trust the incident response plan you have in place.”
2. Communicate. “Let your team and wider organisation know what’s happening and keep those lines of communication open,” says Hague.
3. Document everything. Keep track of every move you make. “It’s like breadcrumbs – you might need to retrace your steps to see where things went south,” Hague says.
1. Delay. “Companies often contact the relevant people two or three days after the incident has occurred,” says de Laet. “By then, the evidence is gone, and mistakes have already been made.”
2. Go rogue. This isn’t the time to be a maverick. “Avoid making impulsive decisions or going off-script. Stick to the plan and adapt out-of-the-box thinking only when absolutely necessary and in agreement with your team,” says Hague.
3. Point fingers. Blame games help no one. “Focus on solving the problem, not finding someone to pin it on,” says Hague.