What Do You Do When an Incident Happens?
Disaster has struck! A simple click on an email link, information is given, and your system’s defenses are down. Your company’s security is at risk, and time is running out, and you need an incident response plan.
The tension rises, sweat beads and hearts race.
What’s your response?
What’s the plan?
Who should you contact first, second, and so on?
Dealing with cyber threats is real, and having a plan is nonnegotiable. It helps organizations respond quickly when things go wrong, minimizing problems and financial losses and protecting their assets and reputation. You need to prepare for the unexpected because it’s coming.
Having an Incident Response Plan (IRP) is crucial for several reasons
- Teamwork: It brings everyone together.
- Coordinated Response: It guides how to react during a crisis.
- Time Matters: In a cyber-attack, time is critical.
- Solid IRP: You need a strong Incident Response Plan to manage and reduce the threat.
- Cybersecurity Insurance: Most should have it; they want you to save evidence when an incident occurs.
- Business Continuity: Can you still pay your employees, serve your customers, and operate safely?
- This plan is dynamic: It’s not something that collects dust; it’s always improving.
Cyber Liability Insurance Rules are Always Changing
Insurance rules are changing, and more organizations have to follow security standards. Compliance with regulations is now a must for everyone. The landscape is changing. New requirements are being enforced. It’s moved from simply answering a questionnaire to complying with requirements when you file a claim.
Compliance is Becoming a Universal Requirement in Many Industries
Regulations like HIPAA, the Gramm-Leach-Bliley Act, CMMC, ISO, SOC, FINRA, PCI, and Sarbanes-Oxley are now requiring certain best practices and cybersecurity rules to be in place.
This leads to 5 stages of compliance grief:
- Denial – “It doesn’t apply to us; we are too small.”
- Anger – “It isn’t fair, this is too expensive!” –
- Bargaining – “Can’t you just give me a piece of paper?” Just provide me with what’s necessary to pass the audit requirements successfully.
- Depression: “We’ll never get there; it’s just too much to take on.”
- Acceptance – “It will be ok; this helps us prepare and to be more secure.”
Creating an Effective Incident Response Plan
What not to do
- Don’t see it as just an IT plan; it’s for the whole company.
- Don’t think it’s only IT’s problem; it involves finance, legal, HR, marketing, communications, and more.
- Don’t do it just for show; it’s an evolving plan.
- Don’t rely on one person; it’s a team effort.
Who is on the team?
- Appoint an incident response leader: This strategic team leader, often a senior executive, is responsible for assessing technical, financial, and operational risks, prioritizing them, and making tough decisions. This role isn’t technical.
- Access and Identity Leader: This role manages network users’ onboarding, offboarding, and access control. It may be an HR or operations expert.
- Compliance Officer: This versatile professional understands all compliance requirements, including regulatory ones like HIPAA, as well as customer-specific demands in case of a breach. They ensure the team sticks to the plan.
- Internal Communication Lead: This individual handles communication within the organization.
- Marketing and PR Coordinator: In the event of a website issue or data leak, this person takes charge of managing press communications, updating the website, and coaching the internal team on what to say or not.
- Operations: This encompasses the IT team and their responsibilities. Smaller organizations may be filling multiple roles. Don’t have a single point of failure and only have one person do it all.
Identify the 3rd Parties to contact when an incident happens.
- Outsourced Providers: This includes the MSP IT team, print vendor, critical business applications vendor, support numbers, bank, and landlords for buildings, etc. Ensure you have their contact numbers and emails, and make the list comprehensive.
- Legal Team: Create a document outlining how to respond to a criminal threat to your business and any other legal communications that can be pre-drafted.
- Law Enforcement Agency Contacts: Maintain information for contacting law enforcement, including the FBI, local law enforcement, and Homeland Security.
- Cyber Security Insurance: Understand the process for submitting a claim and have the necessary contacts for a response and recovery perspective. Know who to get in touch with and the steps to follow.
As you design your plan, remember to:
- Specify all the potential threats in detail and formalize the plan for each (i.e. Social media hack).
- Communicate responsibilities to the staff and Incident Response (IRP) team.
- Create a continuous learning process.
- Designate who is responsible for updating and communicating any changes to the plan.
After implementing the plan, what should you do next?
- Inform employees about their responsibilities.
- Notify vendors about the plan and their roles.
- Review the plan with your legal team for insights and any necessary additions.
- Ensure you meet compliance and contractual obligations.
- Establish a formal sign-off process with your leadership team.
Practice. Practice. Practice.
Think of this as an ongoing journey, not a final stop. Embrace it, do it, and make a regular habit of reviewing it. Some companies do this check every few months or twice a year. Create a routine for testing. For example, gather your team and imagine a fake incident, like the CEO’s Facebook account being hacked. Each person shares how they’d respond. You can even include vendors or customers in a call to discuss your actions. This helps find any gaps.
Try this process with smaller incidents to see if the plan works. After every test, real incident, or when the Incident Response Team changes, update the plan. Make it a formal thing to review it every year to keep it up to date, at least once a year.
Don’t wait – prioritize preparation (the PLAN), swift detection, containment, and rapid recovery to minimize the impact of security incidents. Strong collaboration, clear communication, and ongoing education are the keys to a successful incident response strategy.
Watch this webinar now to stay ahead.