All your questions answered.
In 2022, the average data breach in the U.S. cost $9.44 million. Ransomware attack? $4.54M.
If you don’t have a cool nine million laying around, there’s good news. Your risk can be (majorly) mitigated by implementing a layered cybersecurity approach and investing in Incident Response planning.
What is a Cybersecurity Incident Response Plan?
An Incident Response Plan or "IRP" is a documented, formalized series of procedures to detect, respond to, and limit the effects of a destructive attack, ransomware demand or other cybersecurity incident.
Developing an Incident Response Plan makes recovery more efficient and minimizes impact on your business. - Ryan Weston, Chief Information Security Officer
The point? To prepare your company as thoroughly as possible so the plan is easy to implement when disaster strikes. (Notice we said “when,” not “if” – cyber incidents have become an inevitability. Why not prepare for it?)
Discover our Incident Response Services
Why Your Company Needs a Cybersecurity Incident Response Plan
When disaster strikes, time is of the essence. And when your systems are down, private company data has been exposed, or you have a ransomware request for ten million dollars, your ability to respond quickly and effectively will be determined by how well you’ve prepared. In short, having a well-tested plan can be the difference between a major interruption in business and rapid return to normal.
Adding to your IT budget isn’t always an easy sell. When it’s time to sell your CFO or board on the business case for spending precious time and resources on Incident Response planning, point them to compelling reasons why it’s a worthy investment. IRPs help businesses:
Mitigate the impact of an attack – or avoid it altogether. A clear, methodical approach to fall back on when disaster strikes will always have a better success rate than a panicked one. Being prepared for a variety of scenarios and risks means your company is likely to bounce back more quickly and efficiently.
Minimize costs. A well-thought-out IRP will diminish costly downtime: time your system is offline, unavailable, or not operating. IRPs help your company return to normal operations more rapidly, meaning essential business functions face shorter interruptions and less revenue lost. Per IBM, data breaches cost companies with an IRP 58% less than companies that did not have an IRP in 2022. In addition, cybersecurity insurance providers increasingly require that companies have a thoroughly executed and tested Incident Response plan to qualify for coverage – and receive a payout.
Maintain compliance. In highly regulated industries (think legal, financial, healthcare), failure to follow government-mandated security protocols and protect sensitive data can results in costly lawsuits and hefty fines. HIPAA, for example, requires healthcare providers to closely guard Private Health Information (PHI), ensure services are minimally disrupted, and “protect against reasonably anticipated, impermissible uses or disclosures.”
Preserve your reputation and maintain public trust. “Think of your customers: you’ll retain their trust if you respond quickly and efficiently,” says Drew Dunkel, ACS’ Director of Technology Solutions. “Your primary goal should be to protect your users and clients.” If a security breach is not handled rapidly and efficiently, your company risks damage to its reputation and losing clients. For larger public organizations, security breaches present massive risk of plummeting stock prices and loss of investor confidence.
Strengthen your overall security. “Planning for a breach or cyberattack inevitably brings to light the gaps in your existing systems and teams, whether you have a coverage issue or a knowledge issue,” says Weston, ACS CISO. Developing your plan may even help avoid future incidents through intelligence gathering and identifying blind spots.
Encourage a culture of cybersecurity. It’s a common myth that cybersecurity is the IT team’s job. Building your Incident Response Plan with a robust group of stakeholders from your company will further your culture of cybersecurity and help promote the message that it is everyone’s job.
Align business units and leaders. “IT teams and other company leadership often find themselves on different pages when it comes to priorities. Incident Response planning allows key members of the company to come together and formulate a strategic, mutually beneficial plan,” Weston says.
Explore ACS Incident Response
Getting Started with Incident Response Planning
1. First, identify your risk with an assessment.
If your business doesn’t regularly perform cybersecurity assessments, start there. Identifying your security vulnerabilities is imperative to remedying them before the before they can be exploited.
2. Document and outline your network.
Develop a network map and comprehensive lists of your assets and critical business systems. Understand your Recovery Time Objective (RTO): the targeted length of time between the breach or incident and resuming normal operations, and Recovery Point Objective (RPO): the point in time after an incident where data must be recovered. Measured in time (i.e. two days and three hours of data loss), your RPO defines how much data loss your company can tolerate before major harm occurs.
3. Define the purpose and scope of your IRP.
Consider your objectives, how you will classify threats, and what systems and teams will come into play. Determine what qualifies as an “incident,” when the Incident Response Plan will be activated, and what criteria is used to determine activation. Be sure to keep in mind any regulatory, legal, or cyber liability insurance obligations.
4. Assemble your Incident Response team.
Define roles and responsibilities – and not just for your IT team. From compliance and legal to your cybersecurity team and public relations expert, you’ll need a wide variety of skills. We’ll delve into them more deeply in a later section of this article.
Align yourself with reputable partners you can trust. In case of an incident, you’ll rely on them to guide you through the crisis. Do your due diligence to ensure they can be counted on. -Drew Dunkel, Director of Technology Solutions
5. Discuss and outline procedures.
What will Cybersecurity Incident Response look like for your team in the thick of data breach or ransomware demand? What actions need to be performed, and who will be responsible for what? Some companies may choose to start with a template from a trusted source.
6. Document your plan in detail, with the goal of making sure no detail is forgotten.
Once your plan is agreed upon, it’s time to document, document, document. Every member of the Incident Response team should be crystal clear on their role in the plan’s execution. Your documented plan should include an executive summary, key definitions, specifics on roles and responsibilities, detail on how you will classify and respond to threats, compliance and legal obligations, an outline of actions that should be taken in the event of an incident, and contact information for all relevant parties, including the IR team and vendors. You may also want to include an appendix that includes visuals like a process tree and network maps.
And remember, a cyberattack could render critical systems like email, office phones, or VPN unavailable. Plan for alternative communications systems and contact information and yes – even several print copies of your IRP to be kept in easy-to-access locations.
7. Test: regularly, and at least once per year.
Incident Response isn’t a one and done deal. Your business can’t afford for this crucial document to gather dust. Per IBM, companies with an Incident Response team that tested their plan in 2022 saved on average $2.66M compared to those who didn’t.
An effective IRP will evolve as your business does, taking into account emerging risks and any changes to your technology or environment. There are several ways to test your IRP, from tabletop exercises -- simply walking through a hypothetical incident with all stakeholders in the room -- to simulating complex scenarios in an operational environment.
We get it. Incident Response planning is a daunting task. Our experts will streamline the process.
“Incident Response planning isn’t just your IT or risk management team’s problem: it requires key players from all facets of your company,” Weston says. “To create a plan that will actually work, each business unit needs to provide input, including RTO and RPO. Done well, IR planning is all-hands-on-deck.”
Your company’s chief executives and board of directors for initial sign-off.
You’ll need their approval for expenses that may not be accounted for in your IT budget, and to gain the necessary buy-in from other leaders, departments, and employees. In case of a crisis, your company’s most senior employees will also need to be educated about the IRP’s parameters: Who will notify customers or employees? Who will speak to the media? Who will be responsible for legal and financial matters?
Your IT and cybersecurity experts.
First, you’ll need an Incident Response Lead to guide and coordinate the IRP team and its members and serve as main point of contact for internal leadership. Other members of the team should be designated for privilege management and monitoring, investigation and auditing, documentation and cataloging, security controls and system access. In case of a cybersecurity incident, this team will be the front lines in your defense and remediation. (P.S. These individuals should also be responsible for monitoring and prevention – identifying vulnerabilities before they become a threat is always the best-case scenario.)
Legal counsel and compliance.
A representative from legal should be involved to provide counsel, while a designated compliance officer will be put in charge of communicating with regulatory bodies and ensuring all reporting requirements are being followed.
Your top communications, public relations, and social media leader(s).
If a reporter calls and says they’ve received a tip that your systems have been breached, who will respond and how? In the event of a cyber-attack, you may need to communicate with the public, press, employees, and customers regarding the incident, including how they are affected, what steps are being taken to remediate, and who to address questions to. You’ll need prepared crisis communication statements for a range of most likely scenarios, and you’ll need an expert to craft messaging on an ongoing basis while you investigate and contain the issue.
A Human Resources representative should participate to determine how internal communication will be distributed in case of a data breach or malicious attack affecting employee payroll or data.
What are the steps to follow for Cybersecurity Incident Response?
ACS follows the SANS framework for Incident Response, which outlines the following six stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
- Preparation: If you’ve read this far, you understand this stage: creating your IRP, defining roles and responsibilities, and making sure all procedures are in place – tested and ready to go.
- Identification: Identifying the security incident through careful monitoring, then determining its scope and impact. (This is where you decide whether the event qualifies an incident and whether to activate your plan.)
- Containment: Time to lock things down and enter damage control. Containment’s primary goal is to prevent further damage and limit the number of systems compromised. It may include disabling user accounts and isolating affected systems and machines to prevent identified threats from infecting other areas of your IT infrastructure.
- Eradication: Your Incident Response team may have resorted to temporary measures to limit the damage during the containment period. Next, it’s vital to implement permanent solutions, including securely removing any malware, patching and updating systems, and identifying and addressing newly uncovered vulnerabilities. In short, eradication is doing everything in your power to make sure that 1. You’ve covered all your bases and 2. This incident can’t happen again.
- Recovery: After careful testing and validating that the issue has been completely eradicated, this stage involves restoring all affected systems, devices, and data to resume normal operations.
- Lessons learned: A crucial element, and one that’s easy to miss post-incident: careful analysis to uncover the root cause of the incident, determine the effectiveness of the IRP and the team’s actions, and fill any security gaps to prevent similar incidents in the future.
It's time to invest in Cybersecurity Incident Response.
When executed properly, IRPs save businesses millions of dollars and the tremendous cost of lost data, productivity, and public trust.
Your commitment to risk mitigation will help your organization before, during, and after a critical incident. You might event prevent one altogether.
Go from panicked to prepared with an expertly crafted Incident Response Plan.