How to create a cyber security incident response plan

What is an Incident Response Plan?

An I.T. or cyber-security incident response plan is a crucial document that sets out exactly how a business will deal with a major, adverse I.T. or cyber-security event. A good incident response plan will establish a clear protocol on questions such as:

• Who is responsible for leading the response?
• How do we define an incident?
• How will we communicate to staff and customers during the response?

An incident response plan won't solve your problem, but it will put you in the best possible position to be able to respond to a major situation calmly, clearly and quickly. It is a crucial part of business continuity planning and governance. The development of it must be led internally by business leaders, who can then consult with external I.T. providers for technical support and knowledge when needed.

Developing your own Incident Response Plan

If you've been thinking about developing or updating your incident response plan, here are some key questions your business should be asking to help define what your plan will look like, and who needs to be involved.

ONE: How does our company become aware of an adverse cyber incident?

While this might seem a bit of a no-brainer, there are good ways to be alerted to an adverse I.T. event and there are bad ways...

Good questions for leadership teams to discuss here are:

• Does our team know who to report a major I.T. incident or cyber-attack to?
• What if it's out of standard operating hours?
• Is there a simple phone number for team members to call to report an incident or attack?
• Do they understand the urgency of an I.T. incident or cyber-attack and know to report it immediately?
• Is this process documented and explained to all new starters?
• If someone is unsure of the process, can they quickly find out what to do?

TWO: How severe is the situation?

Is it an 'event' or is it an 'incident'? Is it major or minor? Having a clear definition of what constitutes an event versus an incident and whether it is major, or minor is key to determining how your business will respond and the escalation chain.

Thinking on this, your business should ask:

• How do we assess the risk an incident might have to our business?
• Is the incident impacting customer data?
• Are critical assets such as financial records, personal data, intellectual property, and/or sensitive information now vulnerable?
• What is the threshold we are comfortable with for assigning something as an event, and when does this escalate to an incident? For example, an event might be one staff member's mailbox being threatened compared to a whole of company cyber-attack escalating to an incident.

THREE: Who will lead the company's response?

Having one person lead the overarching response is key to an effective and efficient response. This person should be a leader in the business who is comfortable collaborating with a wide range of stakeholders and who understands the impact of decisions being made and can make critical decisions as required.

This person should not be an I.T. leader by default - remember if a major incident occurs, it'll likely be all hands on deck for the I.T. team.

If your business is large enough then you'll want to consider building out an incident response team to support the incident response manager. Expertise this team should provide include:

• Technical - someone who can inform on and make decisions on technical matters related to the incident
• Legal/Compliance - someone who can provide any legal guidance that might be required
• Communications - someone who can ensure that your wider team and your customers are kept up to date during the incident response and can manage any external enquiries that might arise.

FOUR: Who needs to know about the incident?

Once an incident has been reported internally, it's likely you'll need to report it externally to certain stakeholders:

• Who is responsible for alerting your external I.T. provider if you have one?
• Who will act as the liaison between you and your external I.T. provider during the response?
• Who is your key contact at your external I.T. provider that you should report an incident to?
• Does your insurance company need to know about the incident and if so, who do you report it to and how?

FIVE: How will we communicate during the response?

Resolving the incident is of course your number one priority, but while the response is underway it's crucial to keep staff and customers up to date with your response.

Think about the demands of responding to a major I.T. incident and consider the different types of communications you might need:

• Who is your inhouse expert for comms in a crisis? Or do you have an external PR or comms provider to support you during incidents like this?
• If systems, such as your email, are down what channels of communications do you have to keep staff and customers informed? SMS, in-app notifications, your website, an automated phone message?
• Do you know what you'll say? Each incident is different, however having basic, customisable templates for alerting staff and customers and updating them during a response can make getting critical comms out easier and faster during a stressful time.

Key Takeaways

If you don't already have an incident response plan, then creating one can be a daunting exercise to embark on. Three key things to keep in mind are:

1. It's never too early to start developing your incident response plan.
2. Your incident response plan should be a living document. It needs to be reviewed and updated on a regular basis.
3. Don't rely on your I.T. provider to develop your incident response plan. An incident response plan is part of your broader business continuity planning process so must be lead internally. Consult with your I.T. provider for technical expertise as it is developed and reviewed.

Did your blood pressure rise a little reading this? Can't remember the last time your business reviewed your incident response plan? If you'd like some guidance on best practice when it comes to an I.T. or cyber-security incident response plan, get in touch with our team - they'll have you sorted in no time.