Interview with Eric Vanderburg - Vice President, Cybersecurity

How to Write an Effective Cyber Incident Response Plan

  • This field is for validation purposes and should be left unchanged.

In today’s digital age, there is a constant threat of cyber-attacks. As a business, it is essential that you take proactive steps to protect your confidential data. There is, however, no silver bullet to ensure your organization doesn’t fall victim to a data breach. That’s why it is equally important to ensure you have an incident response plan (IRP).

Let’s imagine a worst-case scenario takes place. You go into work one morning and find you’ve been hacked. What do you do?

Refer to Your Incident Response Plan

Your first step when there is a suspected incident is to locate your incident response plan. If you do not have an IRP in place, your next step after reading this blog should be downloading How to Write an Effective Cyber Incident Response Plan. This guide explores the importance of having an IRP and outlines a process for drafting one for your organization.

The incident response plan will outline whom to contact, including internal contacts, your digital forensics and incident response (DFIR) team, legal counsel, and law enforcement, if necessary. It will also provide step-by-step instructions on containing and eradicating the threat to get your business back up and running.

Print Your IRP!

To ensure you always have access to your incident response plan, have multiple copies available in digital and print formats. Digital copies can be stored on the company network, intranet, or in the cloud. The key is that each member of the incident response team can locate it quickly. 

A printed version of your IRP is just as important, if not more so than a digital copy. Depending on the nature of the breach, digital copies may not be available. Ransomware is a great example. Once deployed, all data connected to the infected machine or network becomes encrypted and can no longer be accessed. Having a printed IRP guarantees it will be available when you need it the most.

While having copies of your IRP in multiple locations is generally a best practice, version control becomes imperative. When you make an update to one document, that change must be recognized in each subsequent location.

Respond to the Threat

So once you have your incident response plan in hand and you’ve contacted the necessary people, the next step is to respond to the threat. Your IRP will walk you through the process of identifying the threat and preserving critical evidence. This evidence can help during the next phase and may also be required in potential future litigation.

Next, the IRP should outline the process for containing, eradicating, and investigating the cause of the breach. Depending on the findings, additional preservation may be required. You must then eradicate the threat and remediate the vulnerabilities that led to the initial hack. 

Finally, once the dust settles, reflect on your response. Reflection will allow you to analyze your response efforts to determine what you did well and what you could have done better. Incorporate these lessons into your incident response plan for future reference.

Four Steps of an IRP

Each phase plays a critical role in recovering from a data breach. Just having these steps outlined, however, is not enough. Training is key to ensuring your team executes the IRP correctly and efficiently.

Perform Tabletop Exercises

Having each team member understand their role and responsibility in the event of a breach is essential to getting your organization back to normal as quickly as possible. The best way to accomplish this objective is by performing tabletop exercises.

Each incident response team member will sit down and run through “what if” scenarios during a tabletop exercise. They then have to relay what steps they will take during that scenario.

Performing these exercises provides excellent practice and brings to light potential issues that may not otherwise be noticed. Those issues can then be corrected in a calm environment rather than in the middle of an emergency when stakes are high. The incident response plan can then be updated accordingly to reflect those changes.

Learn More About Protecting Your Business with Tabletop Exercises

If you would like to learn more about drafting an effective incident response plan or how to run tabletop exercises, contact us today. TCDI’s cybersecurity team works hand-in-hand with organizations, both large and small, to create and practice incident response plans designed to provide guidance, structure, and an organized response to an incident.