Expect the unexpected: the key to achieving cyber resilience

Today’s modern threat actors are moving quickly. You don’t have days or weeks to contain a cyber incident; you need a rapid response, and your team must remain a step ahead.

While there are several strategies an organization can deploy to prepare to contain and respond to a cyber event, an incident response (IR) plan can provide peace of mind and a roadmap to follow when time is of the essence.

IR plans can help save your team stress, time, and money during a breach and ultimately help build your organization’s cyber resilience. It’s not a matter of “if” you’ll use your IR plan, but “when.” Will you be ready?

What is an IR Plan and Why Does it Matter?

An IR plan is a playbook that outlines the steps your organization will take in the event of a cyber incident. It is designed to help security leaders and stakeholders respond to cyber incidents quickly, efficiently, and effectively. The Cybersecurity and Infrastructure Security Agency (CISA) also recommends organizations have an IR plan in place to guide actions before, during, and after a security incident.

When you are mid-incident, it’s too late to determine your chain of command, develop your communications strategy, and draft legal contracts. By improving your readiness now, you can better protect yourself against potential threats in the future. Having an IR plan in place can help you:

• Respond quickly and effectively to an incident: Time is vital during a cyber-attack, as you need to quickly identify, contain, and eradicate the threat to minimize its impact on your business. IR planning during non-crisis times allows you to proactively prepare your team and your business for the unexpected.  
• Reduce downtime and costs: While time and resources are of the essence during an incident, only 41% of chief executive officers (CEOs) believe they are prepared for cybersecurity crises, according to The Conference Board. A well-executed IR plan can help you reduce the time your systems are down and minimize the financial costs associated with the loss of productivity.
• Build cyber resilience: An IR plan is essential to a comprehensive cybersecurity strategy. By having a plan in place, you can significantly reduce your risk of falling victim to a cyber-attack and better anticipate, withstand, recover from, and adapt to cyber stresses or compromises and achieve cyber resilience. Not only should IR plans be used to support your team reactively, but you can leverage them to be proactive as a training resource, too. You can use them as a roadmap to simulate scenarios and conduct cyber maturity reviews.

Having a cyber IR plan can also help public companies comply with the Securities and Exchange Commission’s new rules on cybersecurity risk management, strategy, governance, and incident disclosure. IR plans can help you identify and assess incidents more quickly, gather the information that you need to make accurate and timely disclosures and coordinate your response with other stakeholders.

The DNA of a Strong IR Plan

An effective IR plan, first and foremost, should be clear and easy to understand for all parties involved. Roles and responsibilities during an incident need to be clearly defined. An IR plan isn’t a set-and-forget solution – it is a living plan meant to be adapted, practiced, and honed over time.

There are four key components of a strong IR plan:  

1. Readiness: Your IR plan should outline the steps to prepare for an incident, including identifying and developing a team of responders, conducting risk assessments, and testing and iterating on incident response procedures. While you can’t always predict a cyber-attack, knowing the precise actions you would take in the event of a breach can help reduce the impact of a cyber threat on your organization.
2. Response: When a threat is identified, it must be responded to diligently. The IR plan should outline the steps for containment, to stop the spread of the incident and minimize the damage, as well as processes for eradication. It’s valuable to identify multiple contacts and contact methods for key stakeholders involved in the response process. One cannot assume phones and emails will not be compromised during an incident, so you must prepare additional communications channels to ensure a streamlined response. It’s important to make sure that your plan is flexible enough to adapt to different types of incidents. The threat landscape is always evolving, and your plan should be nimble enough to evolve, too.
3. Recovery: Every IR plan should also include a detailed recovery process that outlines how you will help the organization resume operations after an incident, including restoring data and systems and implementing new security measures to prevent future events. Unfortunately, today’s threat actors often focus on immediate post-breach targets, which can lead to incident clusters. Being prepared to jump back into response mode and deploying vulnerability management efforts at any time is critical.
4. Communications Support: While IR is a technical activity performed by information security teams, in the broader context of today’s data and security environment, these incidents do not stay within that team’s purview. A strong IR plan should include a communications plan that outlines how the organization will communicate with all stakeholders during and after an incident. This includes informing employees, arming service desks and call centers with approved messaging, communicating with customers, reporting to the SEC, and even speaking with the media as needed.

Even the most thoughtful plans are only as good as the team you have in place to execute against them. To achieve cyber resilience, you need a team that can prepare for, respond to, and quickly recover from cyber incidents to keep your business running with minimal disruption to workflow and processes.

Assembling Your Team

Building an in-house Cyber Incident Response Team (CIRT) that understands the unique complexities of your business and has the appropriate level of training to execute your IR plans is critical. A key component of the CIRT is the technical team, made up of IT and security professionals who will direct the containment stage of the incident while you get your response started.

You must keep your technical team up to date on the threat landscape, provide upskilling and professional development opportunities, and explore the latest protections to help keep them prepared to navigate the next incident.

Whether one person handles your IR, or you’ve established a robust CIRT, you must assess not only what you know, but more importantly, what you don’t. While it can be challenging, understanding your team’s limitations, what resources are missing, and which resources need improvement is imperative to building resilience.

If gaps are identified, organizations may want to consider opening an IR retainer with a trusted cybersecurity partner to help address them. An IR retainer can give you the proactive and reactive support you need to manage cyber risk – and peace of mind that you are better prepared. A strong retainer relationship is not just a response contract – that’s the minimum.

A good relationship with an IR partner will provide a lifecycle of support that helps your business manage and contain the risk of future incidents.

Striving For Cyber Resilience

Cyber-attacks are inevitable, however, building an effective IR plan and a team of skilled responders, both internally and through outside partners, are keys to achieving cyber resilience. By having an IR plan on which your team(s) can rapidly activate, you can significantly reduce your risk of being the victim of a cyber-attack and minimize the impact of an incident on your business.

Handling cyber incidents appropriately is crucial for building trust with your customers, maintaining compliance, and keeping the business running smoothly with minimal disruption. As with all business risks, cybersecurity risks require upfront planning with all relevant stakeholders and putting a system of controls in place to minimize gaps and build resilience.