4 Calling Cards of a World Class Incident Response Plan
One of the great truths in cyber security, just like in life, is that there’s nothing wrong with expecting the best – as long as you make sure to prepare for the worst. Recent research by The Ponemon Institute, however, suggests far too many businesses are expecting the best cyber security-wise and simply leaving it at that. In a report entitled The Third Annual Study on the Cyber Resilient Organization, The Ponemon Institute found 48% of participants feel confident that their “cyber resilience” is high or very high. Just how resilient they actually are is called into question elsewhere in the study, as more than three-quarters (77%) of participants admitted to lacking a formal incident response plan, indicating many may not be as resilient as they believe.
“No company wants to be on the news due to a breach, but the reality of the situation is, if you’re using technology, you’re going to be attacked at some point,” wrote Tom Clerici, Arraya’s Cyber Security guru, in a blog from early last year. “Unfortunately, too many organizations wait until after an incident occurs before developing an incident response plan and by then it’s too late,” he added before listing four strategies businesses should consider when building out such a plan.
One year on, the strategies contained in Tom’s initial blog remain valuable. Yet, considering the Ponemon Institute’s study, it seems as though many are still struggling to lock down what they need to do to prepare for – and respond to – cyber security incidents. With that in mind, here are four more incident response strategies businesses can implement to ensure they are ready for anything:
- Establish who owns the plan – Businesses must designate a chain of command to supervise the response effort. This should include an Incident Response Manager tasked with handling the more technical, nuts and bolts workloads. Additionally, an executive sponsor should be selected to oversee operations from the highest level. This will leave no doubt about the seriousness of organizational response efforts.
- Design a public relations campaign – Innocent bystanders, be they customers or employees, are likely going to have some sort of personal or professional stake in incidents and will need to know what took place. Businesses must decide when to loop in their marketing or public relations teams, who to involve from those teams, and the timing and content of announcements. Ideally, a business will be the one determining the narrative around an incident, but delays or muddled messaging are tantamount to ceding that privilege.
- Ensure the tech toolbox is up to snuff – Knowledge is power in today’s cyber security landscape and, as such, response team personnel should immediately be alerted to suspicious activity on the network. If activity does prove malicious, they should also be able to determine what attackers have been able to access in order to guide remediation. If an organization’s security solutions aren’t working closely together to provide personnel with this information, it may be time to consider other options.
- Define a desired end state and the path to reach it – Once a problem has been properly triaged, security personnel should know what goals they’re working toward, both in the long and the short term. The temptation may be to dive in and try to fix everything all at once. It’s admirable, but it’s also a surefire way to work very hard to stand perfectly still. Instead, team members should have a clear understanding of what the road to recovery looks like, complete with mile markers.
Next steps: Build or boost your incident response plan
Want a chance to hear executive-level insights into the right (and wrong) ways to respond to a cyber security incident? Join Arraya Solutions at Davio’s Northern Italian Steakhouse in King of Prussia, PA on April 24 for Bourbon & Duct Tape: How NOT to Handle Security Incident Response. This event will leverage the real world experience of Sean Mason, Director of Cisco’s Incident Response team, and Tom Clerici, Arraya’s Cyber Security Practice Director, to illustrate proper tactics as well as the consequences of failure. Register now by visiting: arraya.rocks/events.
If you’d like to get the conversation started with the Arraya team prior to the event, we can be reached at: https://www.arrayasolutions.com/contact-us/. Or, you can strike up a conversation with us on social media. Arraya can be found on LinkedIn, Twitter, and Facebook. Be sure to follow us so you’ll stay updated on all of our latest industry insights, unique educational opportunities, and more.