{"id":2078,"date":"2025-02-25T09:00:00","date_gmt":"2025-02-25T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2078"},"modified":"2025-02-25T09:00:00","modified_gmt":"2025-02-25T09:00:00","slug":"how-to-create-an-effective-incident-response-plan","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2078","title":{"rendered":"How to create an effective incident response plan"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When a company experiences a major IT systems outage \u2014 such as from a cybersecurity incident \u2014 it\u2019s essentially out of business for however long the downtime lasts. That\u2019s why having an effective incident response (IR) plan is vital.<\/p>\n

It\u2019s not just a matter of finding the source of an attack and containing it, though. Enterprises need to design for resilience<\/a> to be able to continue operating even as key systems become unavailable.<\/p>\n

What goes into an effective incident response plan? Here are some suggestions of essential components.<\/p>\n

Perform impact analysis to ensure business resiliency and continuity<\/h2>\n

When a security breach brings down key systems, companies need to have a solid IT resiliency or business continuity (BC)<\/a> plan in place. If the business is down for even a few hours that could lead to big financial losses<\/a> and negative public relations.<\/p>\n

\u201cOne of the key components of the development of a business continuity plan is to understand the essential functions your organization performs, and what the impacts would be if they were disrupted,\u201d says Justin Kates, senior business continuity advisor for convenience store operator Wawa, who is responsible for architecting a new BC program for Wawa\u2019s expanding footprint of more than 1,000 stores across 10 states.<\/p>\n

\u201cThis is typically done through what is called a business impact analysis (BIA),\u201d Kates says. \u201cThere are some in the business continuity space that think that the BIA is not a helpful\u00a0tool, but in reality it helps the business continuity lead get a better understanding of how processes work across the organization.\u201d<\/p>\n

The BIA catalogs each process and determines what the impacts would be at certain\u00a0intervals based on lengths of a business outage.<\/p>\n

\u201cI\u2019ve seen a lot of success in using the BIA to determine which response plans are necessary to guide teams with workarounds if their typical applications and technology services are not working,\u201d Kates says. Workarounds can include manual steps to perform the process or the use of alternative vendors or services to meet minimum requirements, he says.\u00a0<\/p>\n

The time to determine which parts of the business are most essential to operations is not after an incident has happened, but well before.<\/p>\n

\u201cI find that the foundation of any effective incident response plan is to truly understand your business, from people to process to operations, through detailed and pragmatic impact analysis,\u201d says Adam Ennamli, chief risk, compliance, and security officer at General Bank of Canada.<\/p>\n

\u201cWhen you talk about BIA and RTOs [recovery time objective], you shouldn\u2019t be just checking boxes,\u201d Ennamli says. \u201cYou\u2019re creating a map that shows you, and your decision-makers, exactly where to focus efforts when things go wrong. Basically, the nervous system of your business.\u201d<\/p>\n

Many organizations treat all their systems as equally critical in practice, Ennamli says. \u201cAnd when the rubber hits the road during an actual incident, precious time is wasted on less important assets while critical business functions remain offline and not bringing in revenue,\u201d he says.<\/p>\n

Establish a comprehensive post-incident communications strategy<\/h2>\n

Another key element that can make or break an incident response strategy is communications. Without clear communications among the major stakeholders of the business, a company might experience much longer downtimes or the loss of vital processes for extended periods.<\/p>\n

\u201cHow are you going to go about communicating? With whom? When?\u201d Ennamli asks. \u201cAnd it\u2019s not just about having a phone tree or a list of email addresses. You want pre-approved content blocks and templates for different scenarios depending, [multiple] backup communication channels, and clear decision and delegation structures for who can say what to whom.\u201d<\/p>\n

When an incident occurs, \u201cthe last thing you want is to be wordsmithing press releases, [sending] mass emails, or trying to figure out how to reach your team because your primary channels are down,\u201d Ennamli says.<\/p>\n

It\u2019s vital to have robust communication protocols<\/a>, says Jason Wingate, CEO at Emerald Ocean, a provider of brand development services. \u201cYou\u2019re going to want a clear chain of command and communication,\u201d he says. \u201cWithout established protocols, you\u2019re about as effective as trying to coordinate a fire response with smoke signals.\u201d<\/p>\n

The severity of the incident should inform the communications strategy, says David Taylor, a managing director at global consulting firm Protiviti. While cybersecurity team members actively responding to an incident will be in close contact and collaborating during an event, he says, others are likely not as plugged in or consistently informed.<\/p>\n

\u201cBased on the assigned severity, stemming from the initial triage or a change to the level of severity based on new information during the response, governance should dictate the type, audience, and cadence of communications,\u201d Taylor says.<\/p>\n

This allows cybersecurity and other leaders to leverage a consistent timeframe from which to expect updates, Taylor says. \u201cIn concert, this enables the technical response teams to focus on the response without stopping progress to provide updates in an ad-hoc manner,\u201d he says.<\/p>\n

One of the most important steps is appointing a communications lead as part of the incident management structure, Kates says. \u201cWhen technology systems are unavailable, many within the organization will need to implement workarounds to keep essential processes going,\u201d he says. \u201cMany of the decisions they make are based on updates that are being provided on the status of the incident and expected resolution times.\u201d<\/p>\n

The technology teams will be focused on mitigating the impacts of the incident and might not have the time to provide updates, Kates says. \u201cYour plans should outline who will take the lead in sharing updates with internal and external stakeholders, including even updating them when there may not be any new information,\u201d he says,<\/p>\n

Structure teams with clearly defined response roles and workflows<\/h2>\n

It\u2019s important to understand who\u2019s responsible for what following an incident.<\/p>\n

\u201cWhen a cyber incident hits, confusion is your biggest enemy,\u201d Wingate says. \u201cA team without defined roles is going to be running around like an orchestra without a conductor. They all may be technically skilled, but they\u2019re all playing different songs. When incidents occur, confusion costs time, and when an incident does occur, time is everything.\u201d<\/p>\n

Structure and roles should go beyond the cybersecurity or IT staffs. \u201cThe biggest myth in cybersecurity is that it\u2019s just an IT problem,\u201d Wingate says. \u201cModern cyber incidents are business incidents, and treating them otherwise is like having a fire escape plan that only one person knows about in the building.\u201d<\/p>\n

The IR structure and roles ideally should include representatives from across the enterprise.<\/p>\n

The key cybersecurity roles are the CIO\/CTO, CISO, incident commander, incident coordinator, endpoint analyst, network analyst, and external forensics support, among others, Taylor says. Roles outside of cybersecurity should include the crisis management team and possibly representatives from legal, corporate communications, human resources, finance, and others, depending on the extent of the incident.<\/p>\n

\u201cDefining who sits in each of these roles is key, with associated responsibilities that should also be clearly defined and easily referenced in relevant plans,\u201d Taylor says.<\/p>\n

It\u2019s also important for IR plans to identify key external stakeholders, says Rocco Grillo, a managing director at business advisory firm Alvarez & Marsal Disputes and Investigations and head of the firm\u2019s global cyber risk and incident response services practice.<\/p>\n

This includes outside counsel, IR and forensics investigation firms, cyber insurance contacts, notification and credit monitoring firms, law enforcement, and ransomware negotiation firms, Grillo says.<\/p>\n

Understand the totality of your threat landscape<\/h2>\n

The cybersecurity threat landscape is broad and complex, and effective IR strategies need to be designed to address this complexity. Attacks can come from a growing number of sources and affect not just an enterprise, but its suppliers and other business partners as well.<\/p>\n

\u201cMore focus is being concentrated on supply chain attacks as opposed to direct hits on companies,\u201d Grillo says.<\/p>\n

Supply chain attacks<\/a> are \u201cakin to a burglar breaking into a building\u2019s superintendent office to get the keys to allow entrance into all of the apartments in the building, versus a burglar breaking into only the penthouse of the building to take the crown jewels,\u201d Grillo says.<\/p>\n

In addition, IR plans need to focus not just on external threats but also on<\/p>\n

insider threats<\/a>.\u00a0<\/p>\n

\u201cInsider threat risks are not only limited to malicious employees, but also employees who commit acts of human error and\/or unknowingly create cyber risk exposures to their companies that threat actors are able to exploit,\u201d Grillo says.<\/p>\n

Third-party vendors and suppliers<\/a> fall into the insider threat category, Grillo says.<\/p>\n

\u201cThird parties can have authorized access to a company, and when [they are] compromised by a threat actor, they inadvertently create a \u2018draw bridge\u2019 for threat actors into the companies that the third party is contracted with,\u201d he says.<\/p>\n

Conduct continuous testing and regular reviews<\/h2>\n

Enterprises need to test their incident response and business continuity plans when they first create them and then on a regular basis, to ensure they are effective.<\/p>\n

\u201cThis really shouldn\u2019t have to be said; it\u2019s like everything in else in tech, test it first,\u201d Emerald Ocean\u2019s Wingate says. \u201cIf you jump out of a plane, you\u2019d probably want to make sure your parachute was checked first. You don\u2019t want to find out it doesn\u2019t work as your hurling out of a plane.\u201d<\/p>\n

One of the reasons why regular testing is so important is that the cybersecurity landscape is constantly shifting.<\/p>\n

\u201cIn my experience, the key to effective recovery is treating your incident response plans as living, mental playbooks rather than static documents, and regularly stress testing your assumptions,\u201d General Bank of Canada\u2019s Ennamli says. \u201cThe pivot is moving beyond theoretical planning to practical, tested steps that have been proven to work under pressure.\u201d<\/p>\n

Following any security incident, enterprise IR and BC teams need to conduct reviews to see how well plans were executed and where improvements can be made.<\/p>\n

\u201cRecovery from an incident [and] exercises of the incident response program must be followed by a disciplined lessons-learned effort,\u201d Protiviti\u2019s Taylor says. \u201cThese are commonly referred to as after-action reviews [AARs], post-incident reviews [PIRs], hotwashes, or debriefs. Regardless of label, a disciplined and documented approach of managing both positives and [negatives] post-incident is paramount to continuous improvement.<\/p>\n

Stress simplicity and modularity wherever possible<\/h2>\n

Although the threat landscape is complex, IR and BC strategies don\u2019t need to be. Sometimes, simpler is better.<\/p>\n

\u201cWe typically see organizations craft numerous, hundred-page\u00a0binders for their emergency plans, one for incident response, another for business continuity, another for disaster recovery, etc.,\u201d Wawa\u2019s Kates says. \u201cMost of these plans have significant overlap and are just copied templates they have found online.\u201d<\/p>\n

Instead of creating separate, cumbersome plans for each type of incident, Kates has adopted a modular, \u201cplaybook\u201d approach.<\/p>\n

\u201cYou can develop a few hazard-specific playbooks \u2014 ransomware, power outage, severe weather \u2014 that can plug and play common functions of incident response [such as] communication, situation assessment, business process workarounds.\u201d Kates says.<\/p>\n

This approach allows teams to activate and combine relevant plays based on an incident\u2019s nature, creating a more useful plan, Kates says.<\/p>\n

\u201cI\u2019ve found it\u2019s also far simpler than maintaining multiple large plans, ensuring information remains current,\u201d he says. \u201cPlaybooks include checklists and decision trees to guide responders through complex procedures, reducing cognitive overload during a crisis.\u201d<\/p>\n

See also:<\/p>\n

How CISOs can rebuild trust after a security incident<\/a><\/p>\n

Plan now to avoid a communications failure after a cyberattack<\/a><\/p>\n

5 ways to prepare a new cybersecurity team for a crisis<\/a><\/p>\n

6 steps to building a strong breach response plan<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When a company experiences a major IT systems outage \u2014 such as from a cybersecurity incident \u2014 it\u2019s essentially out of business for however long the downtime lasts. That\u2019s why having an effective incident response (IR) plan is vital. It\u2019s not just a matter of finding the source of an attack and containing it, though. […]<\/p>\n","protected":false},"author":0,"featured_media":2079,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2078"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2078"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2078\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2079"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}