Incident Response Planning

Fail to Plan – Plan to Fail.

Even with the best training and security in place it is still likely your organisation will need to deal with some sort of cyber incident. Studies have shown breaches can take months to discover so it is vital to have a procedure in place to ensure a speedy resolution. It is also key to make sure these procedures are reviewed regularly if there are any significant changes in your business and that they are communicated clearly at all levels of your business. An example of this necessity can be seen in the shift to homeworking during COVID-19 and how companies had to adapt their approach to cyber security.

‘Dwell time’ is the length of time that a breach or malware is undiscovered and is a serious issue in cyber security. During this time the hacker has access to the system and can do damage. If you don’t monitor your system for anomalies or recording the right data this time frame can increase.

Another approach is to start ‘threat hunting’.  That is to proactively invest time in investigating possible threats in order to see how they play out then use these lessons in order to be able to respond in real time to potential threats as they arise.

Another dimension to dealing with threats is to have a comprehensive incident response plan in place. This will mean you are able to deal with any incidents efficiently without stress. It can also dramatically mitigate any losses you may incur so it is important to invest time in developing and testing this.

There are several questions you need to consider when putting together a response plan:

What is your worst case scenario?

How quickly would you begin to lose revenue in the event of an incident?

How would you deal with a data breach? Who would need to be notified? Do you know your responsibilities under GDPR?

How will you find out what has happened? Do you have your own IT team? Do you outsource this work?

A trucking company suffered a ransomware attack where cyber criminals encrypted all of their data files and requested a ransom of $9,920. Hackers had encrypted all of the data that they required to run their operations including routes, logistical information, contacts, and stock levels.
Rather than pay the ransom they set about reconstituting data from paper records and their employees’ knowledge of day-to-day operations. This resulted in a large amount of overtime costs and loss of business income that resulted from the extended outage of their systems and the consequential impact on operations.

The first step in the formation of a plan is to perform a risk assessment so that you can effectively prioritise the aspects of your business which are most vulnerable and to which vectors. By doing this you can decide what sort of incidents your plan should focus on

One of the things you should consider are the systems you use for backing up your critical data and decide the most appropriate frequency to perform these. It is also important to regularly check your back ups so you can ensure there are no issues when you actually need them. It is a good idea to keep any back ups off site in case of a physical incident such as fire affecting your premises.

There should be a clear communication plan for your business which includes documentation which states the roles, accountabilities and processes within the plan so that everyone in your team understands their responsibilities. This means they will be able to respond quickly should an incident occur saving you valuable time in the case of an incident.

It is really important to regularly review how your systems are being used and scan for threats so you can detect anything out of the ordinary which could indicate an issue to avoid the ‘dwell time’ which can be so devastating. If you work with a cyber consultancy they may be able to assist with this.

If you have identified something which could be an issue and you a have a cyber insurance policy you should contact your broker/insurer who may be able to assist either with advice or practical support from forensics or data breach experts.

Once you have confirmed that an incident presents a threat it is important to contain it to prevent any further damage from occurring. This needs to be done in the short term by taking down affected servers and in the long term by applying fixes that can bring servers back online and to begin recovery.

At this point you need to review the type of data that could have been breached to know whether you need to notify your client or a regulatory authority. You will also need to have plan for how you will go about doing this.

In this step the cause of the attack must be dealt with once it is identified. This can involve removing malware or taking remedial action should then be taken to prevent similar attacks from happening in future. For example, if vulnerability was exploited the first step would be to ensure this was patched or if the cause was a phishing attack you should take the opportunity review the training you have provided to your staff and look at what more you can do to ensure this is effective.

You will then move into the recovery stage of your plan. You will need to bring any affected systems back online. This needs to be done very carefully to ensure another incident does not take place. To ensure the security of your systems you can implement a process of testing to check that all parts are working as expected.

Following on from any cyber even it is critically important to monitor your systems your systems closely. Studies show that once you have suffered a breach you are more likely to suffer a second attack as cyber criminals are able to use any information that they have learned from the initial attack.

Following the event it is vital to look back and investigate the substance of what happened and why then reflect on areas what was effective and areas that require improvement. This is a particularly important step to build cyber resiliency for the future.

Whilst formulating your Incident Response Plan you should also look to create Disaster Recovery Plan to run alongside this. Your incident response plan will focus on identifying potential problems and resolving them as quickly as possible and your disaster recovery plan will outline how you intend to bring systems back online.

Insurance can respond in a number of ways to work with your incident response and disaster recovery plan including assisting with forensic investigation costs, legal costs and notification costs. It can also respond in other ways to mitigate your loss of revenue including business interruption cover, reputational damage and public relations costs.

Having both of these in place will ensure the claims costs are kept to a minimum and so are looked upon favourably by cyber insurers with regards to terms and premium.

Make an Enquiry