It’s When, Not If: Why You Need a Cybersecurity Incident Response Plan

Time and time again, GreyCastle Security responds to security incidents where an organization is in complete chaos over the incident. Why? They haven’t responded to a cybersecurity event before and don’t know where to start.

Just like performing CPR, first aid, or responding to your house on fire, having the skills, preparation, and knowledge in place before you need it can mean the difference between a total loss and a successful outcome.

Information security incidents are reactive, not proactive. Just like performing CPR, first aid, or responding to your house on fire, having the skills, preparation, and knowledge in place before you need it can mean the difference between a total loss and a successful outcome. During security incidents, clients who have planned and prepared for the inevitable lose less money, are back online in less time, and generally, report incidents less than those who haven’t prepared.

As an example, think of the White House. People are jumping over the fence all of the time and most are caught within seconds. Now imagine the White House with no preparation, no detection, and no “solid” way of stopping these jumpers. They would likely be able to get a lot farther than they can currently and make their way to places where they were never able to get to previously.

Nothing is 100% secure. Ever. An organization should expect adversaries getting past their network perimeter.

An organization’s network works (or at least should work) the same way. Nothing is 100% secure. Ever. An organization should expect adversaries getting past their network perimeter. The question is: How fast we can detect these intrusions and how fast can we eradicate them? Technology does a good job of automating this, but in reality, you can’t rely on it to stop everything. An organization, in addition to technology, needs to have good policies, processes, and plans in place to respond to these events.

Implementing and testing an Incident Response Plan (IRP) is a great way to start. The plan itself should include processes for responding to an incident, contacts for your legal team, insurance, forensic firms, and other contacts which will be important during an incident.

How can you put a plan together? Below are a few basic tips for developing your IRP. While not comprehensive, these steps are a good starting block.

  1. Know your risk profile. What are the biggest threats to your organization? Where are you vulnerable? Performing a cybersecurity risk assessment will help you answer these questions and others.
  2. Understand your compliance responsibilities. What regulatory frameworks should you be following and what are your reporting requirements? Know the regulations that you are beholden to.
  3. Have a communication plan. You will likely need to communicate the details of the incident to a number of different parties. Know in advance who those people are, how you will contact them, and what you need to say.
  4. Identify your stakeholders, assign them responsibilities, and train them in how to respond to an incident.

The most important part, however, of any plan is to test it. If your organization creates a plan and says, “Follow it,” I will bet you that it is on a shelf (or, even worse, in a share somewhere), that hasn’t been looked at in years, and when an incident does arise, it isn’t followed whatsoever (and potentially even forgotten about).

Testing the plan is vital, not only because it trains the team on an organization’s process, but also allows the team to know what an incident is, what it feels like, and what processes to follow. The same thing applies to testing fire alarms every 6 months. Make sure it works before it is way too late.

 

About The Author: Adam Dean

Adam Dean is a Security Specialist at GreyCastle Security. Adam is a graduate of the University of Advancing Technology with a Bachelor’s degree in Technology Forensics. Adam has experience identifying, containing, eradicating and recovering from computer security incidents ranging from malware-based infections to malicious insiders.