A cyber incident impact could be as simple as a hacker stealing customer data or as extreme as a critical infrastructure attack. The best time to create an incident response plan is before an incident happens. With cyberattacks occurring every day, it isn’t something that can wait until an attack has happened to think about.
A good cyber incident response plan should ensure that an organisation can:
- Identify the incident and understand the severity of the problem (e.g. was it an attack on a website, did a computer get infected with malware, or is the network being attacked?)
- Determine who is responsible for responding to the incident and what actions they need to take (e.g. are we all reporting through the same portal? Is there a need to have different procedures for different types of incidents?)
- Determine what support systems were affected by the incident and how this needs to be addressed (e.g. what backup services should be used to restore services and systems once the main incident is resolved?)
- Determine what sources of data need to be protected, and what needs to be shared with the customers (e.g. how will it be shared with affected customers and what supporting documentation will need to be provided to explain what happened?)
- Identify the steps that need to be taken to restore normal operations (e.g. what are the database backups that need to be restored, and how long will it take to run them?)
- Establish a review process so no incident is ever repeated (e.g. what is the point of promoting incident response plan training if we keep repeating the same procedures?)
- Establish a policy for reporting incidents and effectively remediating them (e.g. what level of information about the incident will be provided to customers and to the wider industry or community)
There is a lot of information around on what the first responders should do during cyberattacks or incidences. This blog will detail 6 reasons why your organisation should have a plan in place to deal with incidents and also provide examples of what these plans look like.
1) Reduce risk to critical infrastructure
2) Prepare for potential civil unrest
3) Avoid liability, fines, and lawsuits
4) Provide transparency and accountability to the public
5) Control damage costs associated with an event
6) Decrease vulnerability and vulnerability needs over time.
The organisations that create incident response plans need not worry about legal implications, as they will avoid liability for their actions under the plan.
What should an organisation do once it has identified its needs? It is important that you identify what actions need to be taken and they are in a format that is easy to use. You may recognise some of these needs from your cyber incident response training, but you may also recognise some that were not covered. Whatever they are, following best practice will ensure that you get the most out of your cyber incident response plan.