Preparing for a Security Incident: Building an Incident Response Plan

May 2, 2019

In the cybersecurity realm, a cyber incident is inevitable. In 2017, there were a number of high-profile security breaches and confidential customer data being leaked on the Dark Web. We have to ask ourselves...what can we do to protect our organizations?

In his book, Scouting for Boys, Robert Baden-Powell, the founder of the Boy Scouts, wrote:

“Be Prepared … by having thought out beforehand any accident or situation that might occur, so that you know the right thing to do at the right moment, and are willing to do it.”

Organizations no longer have the luxury of believing that security incidents can be prevented. Those that are prepared for an incident will fare better in damage control compared to those that don’t.

For some enterprises, this may mean engaging a cybersecurity firm for services such as penetration testing, or building a comprehensive incident response plan. At Herjavec Group, we highly recommend building an incident response plan to further reduce the impact of the incident as well as cut down on the time lost in detecting and remediating a potential attack. 

Consider the following 10 points when building a strong incident response plan:

The 10-Point Plan

1. Don’t wait for a breach to get ready.

2. Understand your business, and what is critical, important, and meaningful.

   Document where those important things are stored, how they’re protected, and what the cost and impact is if they’re lost or stolen.

3. Prioritize Security Awareness Training internally.

   Ensure that employees across all levels of your organization understand that it is their job to help support the company’s security posture.

4. Create policies, procedures, and guidelines for handling information security incidents.

   Create practices for communication by involving your legal departments, staff, law enforcement and customers. Develop and document escalation and authority structures.

5. Ensure you have visibility into the critical activity and behavior in your environment.

   Review how you are receiving and digesting this information, as well as which stakeholders within your organization receive, provide input on, or action the data.

6. Make incident detection and analysis a core competency for your security program.

   Visibility into the data and events occurring on the network and within the data repositories is critical since preventative controls can fail.

7. Develop and understand your capacity for response.

   Hire, contract, or allocate resources that are trained and have the necessary tools and experience in incident response. Develop a plan and process to understand and react to extended incidents, or major incidents that exceed the skill level and capacity of internal staff.

8. Practice and learn.

   Even if you are having regular “live-fire” incidents, review your plan yearly and do simulations to create a continuous improvement cycle.

9. Leverage expert advice and guidance.

    In addition to advice from a trusted security advisor, you can learn a lot from SANS Institute’s IR training or by reading resources like NIST’s Computer Security Incident Handling Guide.

10. Talk early, and often, with your executives, company staff, and contractors about your program’s readiness, plans for improvement, and your capacity for response.

     While discovering a security incident might be unwelcome, it shouldn’t be a surprise.

To engage with Herjavec Group for our Incident Response and Security Consulting services, please connect with a security specialist today.