What NOT to Do When Creating an Incident Response Plan
As cyberattacks become more sophisticated, cyber incidents have become more difficult to predict and prevent. Nowadays, even companies that have invested in strong cybersecurity measures and strictly follow industry regulations are not totally safe from threats and breaches in their networks.
You should never be too complacent.
When incident prevention fails, your team needs to step up and quickly respond to the issue to avoid more massive breaches that can disrupt your business.
And to ensure more systematic incident management, you must develop and implement an incident response plan.
According to the National Institute of Standards and Technology (NIST), an incident response plan is "documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information systems." It should cover preparation, detection/analysis, containment/eradication, and recovery.
Here at Intelligent Technical Solutions (ITS), we know that a carefully planned incident response program will help an organization stop and control incidents swiftly. In this article, we’ll go over the common mistakes companies make when making a plan so you can avoid them.
4 Mistakes to Avoid When Creating an Incident Response Plan
We asked Jeff Farr, ITS Security Consultant, to list the common mistakes a company often makes when creating an IR plan. These are the top ones:
1. Using an off-the-shelf plan
An incident response plan is a must for businesses, but it isn’t just an item in a compliance checklist that you need to tick off.
Many organizations use generic incident response plans that break down the standard actions to take in case of a potential incident. While this may give you a sense of security, a plan not customized to your organization’s needs may be ineffective in preventing threats.
Most off-the-shelf incident response plans are extensive and too complex. And some of the procedures and policies in these plans can be a mismatch for your organization or may drag down your entire incident response program.
What you can do, however, is use the existing plans as a basis to create your own without replicating the entire plan.
“We have samples of different response plans from previous clients. What we do is take the good things from the existing plans and put them together to help create an entirely different plan that suits the business.” Farr says.
You can do that as well. The NIST’s Computer Security Incident Handling Guide is a good resource for your organization when creating an incident response plan. However, it's important to tailor your plan based on your company's objectives, environment, culture, people, and current industry trends.
2. Failing to establish a clear team structure and individual roles
To build a solid incident response team, you must tap key stakeholders from different departments, including legal, IT, HR, communications, and risk and insurance management.
Aside from finding the right members, you must ensure that every party knows their responsibilities in the team. Let them know who will be in charge if a breach happens, who will gather evidence for investigations, and when/how everyone will be notified to avoid confusion and conflicts while the team is addressing the breach.
According to Farr, it helps to do tabletop exercises.
What you can do is sit down with the team, put a scenario in place, and act it out.
Practice how the team will work together and set up a communication platform where every member can get updates about an investigation.
3. Not testing and updating the plan
“The biggest mistake that people make when it comes to Incident Response Plan is that they don’t test it,” Farr explains.
Believe it or not, you’re going to miss steps. And the only way to determine whether your incident response plan can protect you in the event of cybersecurity breaches is by regularly testing it and reviewing the team members and tools involved in the procedures.
Farr mentions a scenario: You wrote an IR plan two years ago when your business was in a different space. Over the years, you added locations and new employees. This means that the procedures you have then may not be apt to where your business is right now, and that could cause security gaps, leading to business interruptions.
Testing the plan will help you identify and change outdated security tools, strengthen your systems, and prepare your team in case of actual cybersecurity incidents.
The NIST’s guide includes 11 test scenarios that your organization can follow. It provides guidance on developing and conducting test programs so that you can improve your ability to prepare for, respond to, manage, and recover from adverse events that may affect your business.
4. Retaining ill-equipped consultants
Although there are a lot of service providers out there that offer incident response solutions, selecting the right contractor can still be tricky.
To find suitable consultants, consider your prospective consultants' competencies in digital forensics, malware analysis, and threat research, among others. Check for their certifications and ask about their experience. If your organization is in a highly regulated industry, you should look for incident response consultants that understand your specific needs.
Need help creating your Incident Response Plan?
No Incident Response Plan is perfect. You just need a plan. Then you need to start practicing with it to make it better and better over time. It should be a living, breathing document that is revised frequently. Farr advises a quarterly review and revision to ensure that your IR plan is up to date.
At ITS, we understand that creating and maintaining an IR plan can be overwhelming, especially for a small business. This is why we, as a Managed IT Service Provider with a key focus on cybersecurity, have been providing help to hundreds of clients who need assistance. If you want to know how we can help, fill out our form for a free network assessment.