Developing an incident response plan – and testing various scenarios against it – is now a must. Let’s all remember the Central Bank of Ireland’s stark warning back in 2016. “Firms should assume they will be subject to a successful cyber-attack or business interruption.”
Having a structured and formalised response plan ensures organisations can deal with any security incidents quickly, efficiently and effectively. (GDPR provides another good reason to get your response planning in order. Enforcement is mere months away, and its terms include mandatory reporting of breaches to the appropriate data protection authority.)
Here at BH Consulting, we offer incident response planning as a service for our customers. We have developed these 10 steps which can guide your efforts:
- Involve the appropriate people and processes. The incident response team should represent functions such as IT security, IT operations, physical security, HR, legal and PR
- Look outside the organisation if necessary to augment the internal team’s skills and knowledge
- Ensure the team has full backing of senior management
- Establish the appropriate levels of response to an incident: these might be for example no response, or automated response, or involving team members or management
- Integrate your incident response plans with business continuity planning
- Ensure necessary levels of authorisation and autonomy (for example, there’s no need to involve senior management for an issue with minimal business impact)
- Train all incident response personnel in their responsibilities
- Keep an incident response log for an accurate record of all actions and outcomes
- Test and review all policies and procedures regularly to ensure effectiveness and applicability
- Finally, implement a review process to learn from any incidents that required a response, and to uncover where to make process improvements.
Here are some other useful resources to help you devise an effective response plan. The UK Information Commissioner’s Office has a GDPR-focused checklist for handling data breaches. ENISA has developed a tool for completing and submitting a personal data breach notification. This is suitable for all business sectors or public agencies. The US National Institute for Standards and Technology (NIST) has a free computer security incident handling guide. The UK Government has advice about handling media attention and crisis communications. Last year’s Irisscon conference in Dublin had two excellent talks on incident response, from Dr Ciaran McMahon and David Stubley (videos).
Incident response in context
We now live in a world where more organisations feel comfortable disclosing when they’ve had an attempted breach. Last year, both the ESB and Musgrave Group publicly said that attackers had tried – unsuccessfully – to break into their systems. Last month, the CEO of AP Møller-Maersk told an audience at Davos that the shipping company recovered its IT infrastructure in 10 days, after last summer’s NotPetya ransomware outbreak. As Lee Neely noted in the recent SANS newsletter, such a rapid timeframe is only possible with a working and tested business continuity plan.
Now that it’s accepted that a security incident could happen to anyone, the focus has turned towards how organisations respond. Unlike the examples above, think of the criticism heaped on Equifax and Uber after their respective breaches. That’s the kind of negative publicity nobody wants.
Beyond public shaming, there’s also a financial impact from badly handled breaches. The UK Information Commissioner’s Office recently fined Carphone Warehouse £400,000 over its 2015 data breach.
If you’re interested in developing or updating your incident response planning, you can contact us to find out more.