You have instigated regular penetration testing and are aware of your company’s vulnerabilities. You have an efficient understanding on insider and outsider attacks. You are utilizing the latest, most up-to-date identity management system. Everything’s all set, right? Not quite. Every (and we mean every) company needs to have an efficient and effective incident response plan in place. Even if you already have one, assess it. It most likely could benefit from improvement, as only 9% of incident response professionals labelled their capabilities as “very effective.”
The reality is, most incident response plans don’t last past the first incident. This may be startling, given the amount of time, planning, and resources that goes into developing one. Which is why it’s important, upon developing a plan, to know what aspects to incorporate in it; let alone the correct procedures to implement it.
The end goal is to mitigate a cybersecurity attack as much as possible, reducing the legal, financial, and reputational consequences. Plus, getting some justice for the uncalled-for cyber abuse.
In this respect, this article illustrates what an incident response plan is, critical components to include in it, and why inclusion creates stronger IR capabilities that can meet the end goal. Plus, how CBI, cyber security solutions in Detroit, can help.
What is an Incident Response Plan?
In a nutshell, an incident response (IR) plan responds to a cybersecurity attack. This means that during the course of an attack, the designated IR team systematically carries out their responsibilities. Volatile data is taken and analyzed. The media is communicated to. And, if needed, a public statement is drafted. The appropriate law enforcement personnel are contacted. And the US Computer Emergency Readiness Team (US-CERT) is updated. Plus, whatever else, the company policy specifies.
What Should You Include?
Only you are going to know exactly what plan your business needs in order to best align with your company’s values and goals. That said, here is some of our recommendations:
Your Company’s Assets
In other words, what information would destroy your company should a hacker access it? To find this out, go through everything: files, documents, data, emails accounts, among others. It may be wise to hire professionals experienced in this field, as they’ll know the right questions to ask and the proper cybersecurity tools to use to protect your most (to least) valuable assets.
Identify Your Company’s Weaknesses
We recommend to conduct a series of penetration tests so you fully understand your vulnerabilities. This means potentially hiring whitehat hackers to launch mock insider and outsider attacks at your system. During these “emergencies,” see if you can access your assets. By doing this, you’ll better know what you need to put into your policy, plan and procedures in order to “patch up” the gaps.
Create the Company IR Policy
In it, establish information-sharing processes. So, in the event of an attack, how your company would go about notifying the media, public, law enforcement, vendors, clients, shareholders, and employees.
Also, define what an “incident” is. This is important since, according to a survey, a majority of IR teams feel overworked and understaffed because the definition is so broad. For instance, they’re tasked (and often inundated) with distributed denial-of-service (DDoS) attacks, accidental and negligent insider misuse, data loss, reading and interpreting feeds, and much more.
If you do decide on using a broad “incident” definition, consider hiring more hands to your IR team. Not only this, but specify in your policy the specific tasks each job title is responsible for. No matter what, this definition needs to be clear, as 43% of IR professionals reported their definition structure (and response plan) was “detrimental.”
Overall, your policy should focus on providing the proper instruction that will allow your IR team to detect, investigate, and remediate your assets to the best of their ability should an incident occurs.
Your IR team should have multiple training sessions so they clearly understand the company IR policy and their role in it. In addition to this, penetration tests need to be done to repeatedly test your IR team on their policy knowledge. That way, you can see if your policy helps or hinders your team from doing their jobs.
Your plan should center around your incident response policy. While the policy is more of the theory, the plan is the roadmap to make the theory actionable and tangible. It must include the types of training, short-term and long-term goals, as well as metrics to measure the policy—to see if it works or not, and to what extent.
Determine Your Company Requirements
This especially applies to you if you’re a federal agency. By law, some agencies and businesses must comply with the law by having a response plan in place. According to OBM’s Circular No. A-130, federal agencies must have a plan that helps its users when an incident occurs. And provide instructions about sharing information pertaining to common vulnerabilities and threats. Besides this, the Federal Information Security Management Act specifies agencies to report all incidents to US-CERT, which is a government response organization that helps government agencies in handling the given incident.
Overall, the NIST framework (best-practice standards for US critical infrastructures) is a solid go-to resource in providing evidence-based methods to incorporate in your response plan. It’s also best to reach out to cybersecurity professionals knowledgeable about NIST and response plans in general to ensure you develop a competent cyber solution.
Inclusion Creates a Stronger IR Plan
The more people involved in the IR plan, the more effective it will be. This means invite employees, executives, board members, shareholders… to IR conferences and training events. Listen and incorporate all fields, not just IT. Only using the IT department is a big mistake because responses to incidents require more than data analysis and data access. The media, law enforcement, US-CERT need to be contacted and updated.