5 Key Components of an Effective Cyber Incident Response Plan
Date: 1 May 2020
Your organisation may have a cyber incident response plan that it can fall back upon in case of a crisis, but you need to ensure its fit-for-purpose. We show you how to achieve that.
If all cyber incident response plans were perfect, we wouldn’t hear of organisations losing millions of pounds to cyber-attacks or being shut down for days on account of ransomware, would we? The fact is that the pressure, chaos and stress during a cyber-attack can be intense and overwhelming.
So, what are the five things that you must consider to ensure that your cybersecurity incident response plan is effective and will do you some good when you face an actual cyber-attack?
We sat down with Amar Singh, Founder and CEO of Cyber Management Alliance, to curate this quick checklist of 5 things one needs to get right in their cyber incident response plan pronto!
- Keep it crisp: There is simply no point in having cyber incident response plans that run into hundreds of pages. Sadly, most of the times nobody will read them and if they do, they will definitely not remember them, especially when a crisis hits and thinking straight becomes a challenge. Always keep your incident response plans brief and to the point.
- Keep it simple: And while you cut your long-winded plan short, also remember to edit out all the fluff and needless information! Of course, we don’t mean that you over-simplify the plan, but you do need to keep it to-the-point and easily accessible to everyone. It is also imperative to keep it as relevant to your business as possible. Tailor your cyber incident response plan workflows to the specific needs of your company.
- Play out scenarios: Talking of relevance, try to focus on all possible cyber incident scenarios that could affect your business when creating your short and specific response plans. In aviation, for instance, the Quick Reference Handbook enlists all possible incidents that can happen in flight and what the pilot’s response to each of these should be. Regular rehearsal of these checklists makes them a part of the cockpit crew’s muscle memory and when disaster does hit in air, they are able to respond to it almost as a reflex action. Every business should aim to create a similar scenario-based reference book in the form of their incident response plan.
- Know your adversary: Besides knowing the scenarios, it is also imperative to know your adversaries. You have to take into account who would want to harm your business and what damage they can cause and then work backwards. Your cyber incident response plan must be built in conjunction with this knowledge and must have steps targetted at countering the damage your specific adversaries can cause.
- Focus on the Golden Hour: The need for speed in the Golden Hour is an oft-discussed subject in the world of cybersecurity. Your cyber incident response plan must equip your team for such speed of action in both technical and organisational terms. It should highlight the key steps to be taken within minutes and hours of the attack being discovered to isolate the breach as quickly as possible. It must also illustrate the key steps of communication to regulators and stakeholders that have to be taken with immediate effect.
Oh, one more thing. Amar encourages the reader not to blindly follow cyber incident response plan templates. These can be useful but unless you have a solid understanding of security incident response as a skill and/or experience in cyber incident management, the response plan template will be of little use.
If you need more information on how to design the most effective cyber incident response plan and the best practices associated with responding to a cyber incident, you could check out our GCHQ-Certified Cyber Incident Planning & Response course here.