Shaping Up Your Incident Response Plan – 5 Quick Wins
Updated: Oct 24, 2022
The IBM Cost of a Data Breach Report 2022 was recently released and revealed that 83% of organizations have had more than one data breach, with the average total cost of a breach soaring to $4.35 million.
The report also found that having an Incident Response (IR) team and an Incident Response Plan (IRP) that was regularly tested led to significant cost savings in the event of a breach. Organizations that regularly tested their plan saw an average of $2.66 million lower breach costs than organizations that were not testing their plan. This statistic alone should help security teams validate the cost savings and effectiveness of IR capabilities.
As you review your organization’s incident response plan, below are five key items CampusGuard often finds that are lacking during the facilitated tabletop exercises:
Awareness and Access to the Incident Response Plan Most organizations developed an incident response plan at some point, but how often is it reviewed and updated? And do all pertinent staff know where to find it? It is important for all key team members, as well as executive leadership, to become familiar with the incident response plan and understand their individual role and responsibilities. The current version of the plan should be stored in a central location (both online and offline!).
Help Desk Triage/Playbooks As your help desk will probably be the first point of contact for any users to report a suspected incident or compromise, it is important that all help desk staff are trained and understand when to activate the Incident Response Plan or how to escalate to the appropriate staff members. Create a checklist for your help desk to help triage incidents and determine priority/risk level and immediate steps that should be taken based on the data types impacted, severity, etc. You may want to develop clearly defined playbooks for incidents like a phishing email, account compromise, malware on a workstation, etc., so the help desk has documented steps to follow and can direct end users appropriately on when to shut down machines, disconnect from the network, etc.
Communications List Develop an inventory of all internal and external contacts and associated contact procedures. For example, it should be easy to locate information for cyber insurance companies, forensics teams, card brands, local law enforcement, FBI, Department of Education, etc., so during an incident, the team is not scrambling to locate documents or emails with contact details. You should also have a documented call tree/list of internal staff contacts that will need to be notified in the event of a security incident and ensure this list is in a central location that is easily accessible (and accessible if online/cloud-hosted systems are down) for those that need it. This will include contacts in IT, security, legal, communications, public relations, public safety, etc. Assign back-up contacts for any key personnel so critical decisions can be made quickly. Empowering your incident response team members to make decisions during an incident is also important so they can act swiftly to shut down or block services as needed.
Incident Tracking Document/Tool Before an incident occurs, ensure processes are defined for assigning an incident handler and how resources will be coordinated to track all actions taken. Whether this is within an internal ticketing system, an accessible Google document, or other, having this defined within the IRP will eliminate any confusion during an incident. It is important that all steps during the investigation are documented so this information is available as needed to share with outside teams, your cyber insurance company, the board, etc. It will also be helpful to be able to review how the incident was handled and identify any potential gaps in the process as you are reviewing lessons learned following the incident.
Plan for Critical Resources What would happen if your organization’s payroll system went down? Or the student information system? Update and regularly review an inventory of critical systems (including physical infrastructure) and related service-level agreements. Develop expectations for availability and establish thresholds for disabling these systems, how long they can be down, the ability to fully restore from backups, etc. Having clearly defined thresholds will help IR team members make decisions during an incident. Involving business owners for these systems and applications in future tabletop exercises is also important so they understand their role in a potential incident that impacts system access.
As your teams review and update your incident response plan, reach out to your dedicated CampusGuard team for assistance. CampusGuard can also help create and facilitate tabletop exercises with your information technology and security teams, or plan for an exercise that involves other key players like the help desk, communications, legal, leadership, etc. It is important to have a comprehensive and up-to-date IRP, but it is even more important to test it so you can identify any failures before you are facing a real incident.
Additional guidance from the CampusGuard Security Advisor team below:
[Bivens]: Whenever most airplanes are flown, they carry—within reach of the pilot—a manual with emergency procedures covering everything from a dead engine to landing gear that won't work. During an emergency, seconds count, and the one thing you do not want are crewmembers who don't know what to do.
Information security emergencies don't—usually—risk lives, but a bad actor inside your network is still A Very Bad Thing™ that can cost organizations a great deal of money, time, and data. Worse, if people's personal information is stolen, public trust in your organization can be badly damaged.
In this age of the Cloud, don't forget your remote resources, either. If you use AWS, Azure, or another Cloud service, does your Incident Response Plan (IRP) include steps to check and protect your Cloud properties? On-premises (datacenter) resources are easy to isolate with a quick firewall rule change or by disconnecting a trunk cable—protecting Cloud services may require more preparation.
Like an aircraft pilot, when minutes matter, having everyone pulling in the same direction can keep an incident from blossoming into a disaster. Frequently checking your IRP for accuracy is a vital part of good preparedness, and rehearsing the incident-resolution process—with all the key players—is a crucial part of maintaining your IRP in good working order.
During the stress of a crisis, a comprehensive IRP that is readable, familiar, and up to date is worth its weight in gold, and I recommend everyone have one to help guide them through incident mitigation to a successful recovery.