Vigilance, education, being prepared, systems updated are the main protection for an organisation to be able to manage a data breach or cyber incident. Having a cyber incident response plan can mitigate the effects of an attach. An incident can range from a mild upset to business process up to a catastrophic effect on the business, even closure. This does not take into account the public or customers trust and confidence in the business when the company is caught out by the cyber breach.

If you are in a regulatory environment, typically there is an onus on the organisation to have an incident response, disaster recovery and or business continuity plan. Those that deal with sensitive data – health information, payment card processing (PCI DSS) are required to have extra controls in place to protect this data. Non-compliance with these regulations can result in audits and or penalties that can divert business attention away from its normal operations.

No organisation can prevent the most aggressive attack on its system, but being prepared, systems patched will mitigate the damage on the organisation. Having an incident response plan will help in the recovery from an incident. It is preferable to have a how to guide ready at hand than try to solve the problem on the fly.

Incident Response Plan

A plan documents the how to, who is, who to inform, how to inform in the event of an incident. We recommend yearly at least so that the effectiveness can be evaluated. If the plan does not have accurate information on who to contact and what to do, it will not be effective in the hour of need.

Steps to an effective incident response plan

Development of an incident response plan indicates that the organisation or department are realistic about the impact of a security incident to their organisation.

  1. Form an incident response team. Assign a senior organisational staff member to lead the response efforts and to keep company executives informed of any situation. Think of them as the project manager. Ensure that the team is inclusive across the organisation with knowledge of the organisation and responsibilities.
  2. Have guidelines on how to and who to communicate. Have clear methods of reporting incidents and ability to track these.
  3. Have a log of where the incident response team can monitor and record information regarding an incident.
  4. Analyse the insurance policy requirements to ensure that you are compliant with their requirements. Also consider having separate cyber insurance for your organisation.
  5. Develop a template for communication plans for your customers, employees, public, media and or regulatory bodies.
  6. Have a single point of contact for all communication requests to the business. The ‘project manager’ should be the spokesperson.
  7. Have a list of all contacts relevant to assisting you with the incident. Out of hours and on call persons with business and technical knowledge of IT systems to assist you in the event of an incident.
  8. Conduct regular planning on incident detection and management. Train your staff on detection and awareness of situation that they may ‘stop, think and ask’ if a situation that arises based on the information contained within your policies. Conduct table top exercises (simulations) in realistic scenarios to fully understand how different elements of the plan will play out, and how effective they will be.

No organisation can predict, track and be prepared for a potential attack, having a plan detailing information that has been tested will greatly assist you in the response to an incident. Putting all these pieces together before an incident occurs will help keep and organization up-and-running during attacks, before they lead to data disasters and public relations nightmare