Despite the security threats seen in the media in recent months, many companies have not adapted yet their security measures, sometimes even after they fought a cyber-attack.
If a growing context of cyber-threat awareness (becoming more and more sophisticated and costly) is now observable, both professionally and personally, it is a fact, many companies aren’t prepared enough to hedge against these incidents and to know how to react proportionately: the incident response plan can then intervene, and become a real asset and essential tool of an organization’s computer security.
What is an incident response plan? What does it contain?
The Security Incident Response Plan is a documented method of handling incidents, vulnerabilities, and security breaches. It is used in corporate IT environments and facilities to identify, respond to, mitigate, and counter security incidents as they occur and after they occurred.
If it is not a miracle cure for your computer security and if proper computer security solutions are essential to any cybersecurity strategy, the Incident Response Plan is designed to provide thoughtful advices, adapted to manage effectively and without “panic” a cyber threat or cyber attack in a given organization. It also helps to strategically assess the risks involved, or to mitigate post-attack damage. The ultimate goal of designing such a document is to manage the situation so as to limit damage to the business while reducing recovery time and costs.
Several key phases are usually identified for these standard response procedures. Here are a few of them:
- Staff and organization preparation (upstream sensitization)
- Incident detection and identification, assigning its priority level
- Impact analysis and confinement of the incident
- Eradication of the problem, initial recovery
Depending on the severity of the incident, during this phase, the activity often returns to detection and analysis, for example, to see if other hosts are infected with malware while eradicating a problem.
- Data recovery and services
- Summary of lessons learned, which are used for future audit requirements and incident report containing causes, total cost of the present incident.
Some tips for a successful incident response plan:
While some organizations and companies do not even have the notion of this type of incident response plan, some of them already have a response plan. But here again, a problem arises: these plans were sometimes conceived months ago without real update, in the idea of “ticking a box” and getting in conformity. The effectiveness of these plans may then be the same as that of the companies that have none: zero.
So here are some ideas and tips for improving or creating your own incident response plan to make it as efficient as possible:
Adapt your response plan to the company or organization concerned (and its workforce)
The documentation created is often too generic, and is therefore not very effective in guiding companies to specific activities in the event of a crisis: it is therefore necessary that your response plan be adapted in every respect to the organization (and equipment / networks) of your company. This means that you must (re) start with the basics, (re) map out the right structure and define in detail the roles of the employees involved.
Indeed, it is important to specify that the IT department of a company is not the only one to be concerned by the development of this response plan, since a data breach can for example affect e-commerce services. or marketing, for example. The involvement of other departments of the company may also bring a fresh look at the strategy to adopt and complement it at best.
Once you have identified the key people for this response plan, it is important to clearly define their responsibilities in the event of an incident. For example, HR or marketing services may be required to communicate internally or externally after this incident. Specifying these roles in anticipation of an incident such as a data breach, for example, avoids confusion and facilitates communication between the various parties involved.
Evaluate potential risks
It is, of course, important to assess the perimeter that might be threatened in the event of an incident and to clearly identify them, depending on the type of threat potentially encountered, before even thinking of an answer in itself.
Prioritize security incidents and determine its scope
The definition of what – and what is not – an incident is closely related to key performance indicators. By doing this, you determine what should be followed and what should be ignored, while making sure your security team only works on the most serious issues.
Test this plan regularly, keep improving it, and keep it up-to-date
Incident response plans are tested very little before a real incident occurs, so an attack simulation can be a real added value to your security strategy to verify its effectiveness.
The execution of such tests keeps the plan updated and adapted to the evolution and development of the company concerned, while helping to identify (and correct) weak points to improve (whether technical or human)..