High Wire Networks Blog

Back

3 Steps to Building an Effective Cybersecurity Incident Response Plan

Cybersecurity Incident Response
Posted on by

Cybersecurity is not only about prevention. It’s also about response. Think of it this way: You need to lock your doors, but you also need to know what to do if and when someone picks the lock. That’s why it’s critical to have a Cybersecurity Incident Response Plan.

What is incident response in cybersecurity?

Threats and vulnerabilities affect every business, regardless of size or industry. If you have sensitive information, chances are someone–either from the inside or the outside–wants access to it. Incident response is an organized approach to addressing and managing what happens after a cybersecurity event, whether that event leads to an actual security breach or not.  Incident responses should concern an entire organization (not just the IT department). In fact, the best incident response plans involve representatives from across the organization.

What is an incident response plan?

“If you fail to plan, you are planning to fail.”

-Benjamin Franklin

Ben Franklin’s observations on planning and failure are wise words and the battle cry for incident response. Cybersecurity events happen, and how you manage one can have more of an impact than the actual event. An incident response plan functions like any other disaster or contingency plan. It should be the playbook for who handles what and when – not if – a cybersecurity event occurs. And your plan should be thorough and complete, so you don’t have to build the plane when you’re flying it. A carefully reviewed plan should be executed without question when the need for it arises.

Who initiates an incident response plan?

A strong incident response plan aims to handle the situation in the least amount of time with the least cost to the organization, whether that cost is monetary or reputational. Therefore, the plan should be a function of the entire organization, not solely in the IT department.

The plan and the team should have representation from key groups in an organization, if applicable, in addition to IT, including legal, HR, communications, and C-suite. No matter who’s on the team, roles and responsibilities should be carefully delineated and determined in advance of an incident to rapidly execute your plan when needed.

Cybersecurity Incident Response Plan

 

How to build a cybersecurity incident response plan in 3 steps

The best way to tackle projects that involve many departments is to break them into smaller parts. Cybersecurity incident response planning is no different. The key to successful planning is to cover all your bases while keeping the scale of your planning digestible and straightforward.

To help you with yours, we turned to High Wire Networks CISO Phil Burnett’s webinar, “Top 3 Must-Haves in Your 2020 Incident Response Plan,” for guidance. Phil’s approach to building cybersecurity incident response plans is comprehensive and achievable— vital attributes to a successful planning effort. We’ve summarized his three-step program for you here:

STEP 1: SET A GOAL

 Define what a successful incident response looks like.

Essentially, an incident occurs when control has been lost – whether that’s a perimeter breach or an authorized person doing something they shouldn’t, like tampering with records or intruding on privacy. The goal of incident response, then, is to effectively identify and remove these threats from your computing environment, or your organization in general, while minimizing the damage and restoring normal operations as quickly as possible.

 Understand the vital parts of an incident response plan.

A successful incident response plan has three parts:

  • You have to diagnose the problem in order to plan an appropriate response. Was it a weakness in your organization? Was it an insider threat? Was it a zero-day attack?
  • When there is an incident, you need to repair the damage, plug the holes in the dam and stop the attack.
  • After you’ve thwarted the attack, you need to take a step back and review what happened holistically. In particular, you should look at ways to shorten time to detection. Every minute makes a difference. In a large intrusion, hundreds of machines can be compromised every 60 seconds. You also want to consider what you can do to become a less likely target.

 Calculate the impact of an incident (i.e., the value of a successful response).

To create a successful incident response plan, start with a business-impact analysis. Calculate how much revenue you would lose if you were down or degraded for a minute or an hour or a day.

Consider other impacts, such as damage to your reputation, which are equally and sometimes more costly. As our COO Charles Hughes likes to say, “You gain value and reputation in drips and drops, but you lose it by the bucket.” Obviously, it’s hard to recover a bucketful of trust when you’re only refilling it drop by drop.

This exercise can help you figure out what’s at stake and prioritize the actions in your response plan.

Incident Response

STEP 2: MAKE A PLAN

 Identify the most important data to your organization.

Inventory your organization’s most valuable assets (aside from your people) and where they are located. Not sure? Ask what makes you money? That’s the key, the crown jewels.

Take steps to protect your most important data, including:

  • Mapping your network environment and applications with tools like NetBrain.
  • Updating your databases.
  • Keeping patches current.
  • Instituting a vulnerability management program.

 Assign an owner to your incident response plan.

Surprisingly, our CISO said that in every one of more than 100 incidents he’s been brought in on, the company had an incident response plan, but not one that was current or tested. They let it slide, and when they were attacked, they essentially were caught with their pants down.

To ensure this doesn’t happen to you, assign someone inside your organization ownership of the incident response plan with responsibility for making sure it’s current and viable. Better yet, make sure that more than one person takes ownership of the plan so that you’re not stuck if your designee is on vacation, is out sick or leaves the job.

 Establish a schedule for testing your incident response plan.

As noted above, making sure your incident plan works is paramount, so testing is critical. HIPAA regulations require testing your plan at least once a year, but our CISO recommends testing twice a year for a more effective response. Testing can include a tabletop simulation or full failover. A tabletop simulation can successfully identify gaps that have emerged since the last full test.

 Don’t panic — “fail fast and recover quick!”

If you experience an incident, don’t panic. Calling everyone and waking people up in the middle of the night is not a good plan. Instead, pause and take stock of what you know.

  • Do you know what the problem is (e.g., a virus, ransomware, etc.)?
  • What is the source of the threat? Was it from the web, an email, an insider threat?
  • Where are the backups? Are they safe and secure?
  • Who is your cyber insurance carrier? What are their requirements? Do they require a third party, such as Cylance or CrowdStrike, to run forensics on your systems before actions are taken?

Remember to snapshot the environment so you have a record when you file an insurance claim after the damage is assessed. Among the incidents our CISO was involved in, the actual cost of the response ranged from $50,000 to $80,000. This may not sound like a lot, but keep in mind that it’s an unbudgeted, unplanned expense. At a minimum, this loss will directly impact your operating budget. Or, if yours is a smaller business, it could be more than you can afford.

 Evaluate your incident response plan annually.

In addition to testing, you’ll want to review your incident response plan. Even (or especially) if your plan has worked well in the past, it’s possible for your team to become complacent rather than vigilant. There’s almost always room for improvement. And, there may be new assets, threats or members of your response team that need to be considered as part of your evaluation.

Act Now Incident Response

STEP 3: ACT NOW!

 Don’t be in denial about the risk.

With all the headlines about breaches, it should be clear by now that the risk to your business from cyberthreats is real. Ignoring it will not make it go away and will only increase the extent of the damage if/when your organization is compromised.

Consult with a CISO.

Not every business – or even IT leader — is expected to be a cybersecurity expert. The talent shortage is very real and the cyberthreat landscape is constantly evolving. This expertise may not be plentiful, but it is available to you on a fractional or for-hire basis from consultants and managed security service providers (MSSPs). A CISO can help you create an incident response plan for your environment.

 Find a trusted cybersecurity partner.

Similarly, you can best manage your risk by contracting with a trusted MSSP, such as those who deliver managed cybersecurity services with Overwatch. Overwatch combines the most advanced AI-driven detection and response engine with a 24/7 security operations center (SOC) to keep your critical assets safe.

 Ready to Simplify Cybersecurity?

Contact High Wire Networks to learn more about Overwatch today!

Email: overwatchsales@highwirenetworks.com

Call us: 630-635-8477

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title="">
<b> <blockquote cite=""> <cite>
<code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Awards & Achievements

High Wire is a fast growing, award-winning managed IT and cybersecurity company. We are proud to be recognized for our innovation and channel-centric accomplishments.
See All Awards

Partner with a Trusted Managed Security Service Provider

Contact High Wire
CALL US
Technology Business: 952.974.4000
Managed Cybersecurity: 630.635.8477