An Incident Response Plan (IRP) is an important document for businesses to have. An IRP is a living step-by-step document to help your organization handle or mitigate a cyber threat/data breach. You should review this plan annually and update it whenever circumstances change. Your organization needs to consider the plan rigid and unchangeable if a situation calls for you to put it into action.
There are many resources and services available to help design and implement an IRP, but here are a few basic items to consider and/or include when designing your own:
WHO in your organization will make up the response team? It should include senior or management level staff with expertise in various fields, e.g. IT, risk management, compliance, legal and HR.
The company should appoint a Team Leader with full decision making capability because this could help to avoid unnecessary chaos. Team Leaders may need to make on-the-spot decisions.
The incident response team should also identify subject matter experts within the organization that you can consult if you detect a cyber incident. The discovery of a breach is not the time to dabble in new segments of your business – know who you can turn to when you need intelligent insight/information.
Document EVERYTHING! If you discover a cyber breach, or suspect a breach, record all the steps and actions you took to resolve or rectify the situation.
This documentation will be very valuable if forensic investigations are needed. Also record any observations made by subject matter experts as their insight will also be valuable to further investigations.
Contain the problem. The response team, or most likely the team leader, will have to make a judgment call whether the cyber threat allows regular business operations to continue, or whether they need to lock down the same system(s).
Taking a business “offline” for any period of time can have major repercussions. The business should predetermine a team leader with full decision making authority prior to an incident.
Prepare a plan of action for if/how you can isolate the threat/breach/affected system. Who do you need to execute a system lockdown? What steps do you need to take? How quickly can you take these steps? Remember you need to record all the steps your organization took in case it is needed at a later date. NOTE: we strongly advise that you do not shutdown your systems. Shutting down may result in losing valuable forensics.
Lastly, call in qualified forensic experts to look into the issue. Unqualified personnel may A) cause further system damage; B) eradicate or muddle forensic evidence; or C) any findings may not be admissible in court due to the person’s lack of qualifications.
Stage 1: eradicate the risk/threat.
Stage 2: restore the system and monitor it closely.
The most important thing for most businesses is to get rid of the problem and resume normal business activities as quickly as possible. The remediation stage accommodates both of these goals. You need to watch for any unusual activity – you may have eliminated the threat, and your business may be back up and running, but unless you closely watch your systems and operations you could still be at risk.
Review what you have learned during this incident:
What lessons did you learn?
Were there any weaknesses in your system?
Was response to the incident carried out quickly and handled correctly?
Did you involve the right people at the various stages?
What do you need to change in your IRP to improve it for future incidents?
In addition to a Cyber Incident Response Plan, consider purchasing a Cyber Liability insurance policy. This policy helps cover expenses associated with a breach such as client notification, system forensics, lost business income, PR and reputation management, plus legal and defense costs to name a few. Despite the name, Cyber Liability also covers personally identifiable information (PII) and personal health information (PHI) that is not stored electronically. Loss, theft or unauthorized access to paper files, or laptops and smart phones containing or allowing access to PII or PHI, is also considered a data breach and the fines/fees associated are just as high.