According to statistics, the more enterprises move their operations to digital reality, the more cybersecurity risks appear. According to a GetApp 2020 Data Security poll , 35% of responding companies faced a data breach in the outgoing 2020, and 28% faced a ransomware attack.
What would you do? Do you and your organization have a response plan?
We think we know the answer - according to IBM report, only 26% of firms have a well-defined security response plan for data breaches and other types of cyber attacks. In this post, we will discuss what a cybersecurity incident response plan is and how it will benefit you. And we'll highlight five steps to creating an incident response plan and provide a range of resources to help you get started.
What is a cyber security incident
A cybersecurity incident is any event that violates an organization's IT security policy and puts sensitive data at risk, such as customer financial data. Malware infection, DDoS attacks, ransomware attacks, unauthorized network access, internal attacks and phishing are just some of the common types of cybersecurity incidents.
What is a cybersecurity incident response plan
A cybersecurity incident response plan is a set of instructions to help your employees identify , respond to, and recover from cybersecurity incidents .
Such a plan includes measures to follow to prevent cyberattacks, steps to take when a company is already facing an attack, and post-attack measures, such as informing stakeholders or reporting the incident to government agencies.
Why you need a cybersecurity incident response plan
Here are the main reasons why every organization needs a well-documented and regularly updated cybersecurity incident response plan.
You will be prepared to fight cyberattacks
With a response plan, you and your team will know exactly what to do. At the same time, everyone will have a documented role and their own responsibility. You will not need to give additional instructions to your team so that there is no loss of time or interruptions in communication.
You will follow the rules
In the event of a security breach, you must fulfill many requirements, such as informing stakeholders and reporting the incident to the authorities. A response plan will help you track and adhere to these requirements. For example, the GDPR consumer data protection law requires you to report a security event within 72 hours of its occurrence, and the PCI DSS financial information security standard requires you to have an incident response plan and review it at least once a year.
You don't have to rely on ad hoc incident response
A cyber security incident response plan is a written document that clearly sets out the steps you and your employees must take when a security breach is detected. It is approved by the company's management, which means you don't have to improvise. Agree, a prepared answer is more effective than a spontaneous and chaotic one.
5 steps to create a cybersecurity incident response plan
1. Document the common types of security incidents.
To get started, create a document listing the potential threats to your business - it will help you prepare different strategies for responding to different types of cyber incidents.
2. Prioritize security incidents based on their severity.
Security incidents vary in magnitude and severity. A corrupted file on an employee's laptop may be considered a lower priority than a DDoS attack, which can disable the entire site. Determine the severity of each security incident to decide whether to resolve it first.
So, assess whether an incident affects your data (makes it inaccessible, steals, or causes it to be lost) or your ability to serve customers or perform operations. Any incident that affects both data security and operational security should be treated as a matter of priority.
Use our security incident prioritization toolto assess the risks of various security incidents.
Indicate the impact of the incident on your operations and data (no, low, medium or high), and the service will automatically display whether it is really a priority, or if its resolution may wait a bit.
Don't forget to set a time frame for resolving any incidents identified. Ideally, high priority incidents should be resolved within 2-6 hours after detection, while low priority incidents should be resolved within 24 hours.
3. Create an Incident Response Flow Chart indicating the required actions
The incident response plan will determine the steps you must take to contain the attack. Create your plan in a flowchart so that your team can quickly understand which threat mitigation path to use.
An example of a circuit.
Indicate who is responsible for completing each step mentioned in your flowchart. Distribute clear and non-conflicting responsibilities among your employees so that there are no clashes or unnecessary disputes.
Use the Responsible, Accountable, Consulted and Informed (RACI) matrix to indicate who should be held accountable, accountable, consulted, or only informed about the various steps in incident response. This could be one person - for example, your security manager will be responsible for maintaining incident records, being responsible for technical operations, advising on post-incident reporting, and providing general coordination and liaison with regulatory agencies.
Here is a sample RACI matrix that outlines the responsibilities of different stakeholders, which you can download and customize to fit your organization's characteristics. For example, if you don't have an MSSP, your security manager will be responsible for all technical operations.
4. Test drive and train your employees.
An incident response program alone is not enough. You need to test its effectiveness by conducting simulation drills that will also train your employees in their role in managing security incidents. Here is an effective red and blue team exercise that you can do as a model.
5. Update your incident response plan regularly.
Update your plan regularly to keep up with changes in the threat landscape or to include any new security measures you have recently taken. Review your response at least once a year and work to reduce the time you spend containing and recovering from incidents.
Use information gathered from previous security incidents and disaster simulation drills to identify opportunities for improvement and implement new controls for your security incident response plan (for example, be sure to look for steps that can be automated).
Finally, use dedicated software as it can help you more effectively detect and remediate security threats. They allow business operations to continue even when incident response activities are performed in the background.
Here is some of them:
- Antivirus software
- Endpoint Security Software
- Network security software
- Network monitoring software
- SIEM
- Data backup software
- Business Continuity Software