Do I Really Need an Incident Response Plan?
The value of having an IRP
Having an Incident Response Plan (IRP) — and knowing how to use it — is an important part of any cybersecurity program. A good IRP will give detailed instruction on what steps to take in the event of a cyber incident. And, as we all know, it is important to be prepared because it is not a matter of if but when a cyber incident will occur.
An IRP is well worth the cost. Compare the cost of an IRP with the average cyber incident cost of $2,235,000 for a medium-size business and you will recognize the financial value. Other consequences of a cyber incident can include loss of company image and trust by customers. As well, in the case of the Emergency Services industry sector, consequences could even mean the difference between life or death because an emergency call was prevented from getting through to a 9-1-1 call center.
Characteristics of a Good IRP
A good IRP is tailored to a specific organization. The IRP will outline the steps of what to do, when to do it, and who (by name or title) is responsible for doing the necessary step. On the contrary, watch out for companies that offer IRPs that are generic in nature. These IRPs often leave out important steps or define who is responsible, thus resulting in important actions not getting completed. An additional characteristic of a good IRP is that it is simple and easy to follow. When a cyber incident occurs, minutes matter. You do not want to be fumbling through a huge plan searching for what step to do next.
Getting an IRP in Place
Of course, you can write your own IRP. Online resources like the National Institute of Standards and Technology (NIST.gov) are helpful. However, the information is found online is often cumbersome. It often contains a lot of information that informs about Incident Response, but lacks the straight-forward steps—the “playbook”—needed to efficiently navigate through a cyber incident.
The best option is to hire professionals to write an IRP for your organization. They know what to do and will ensure the steps are clearly laid out so nothing important is missed. Professional IRP writers will also tailor the IRP to your organization.
The Best IRP Includes Training and Prevention
In addition to having an easy-to-follow on-the-shelf IRP, every organization should train on it and exercise mock Incident Response scenarios. Ideally, this training is conducted at least annually or whenever there has been a significant change in key personnel that would have a role in responding to a cyber incident. A tabletop exercise (TTX) is a good way to “wargame” your plan for different types of cyber incidents.
Taking steps to prevent cyber incidents should be the first step in your overall cybersecurity plan. Beyond cyber threat awareness training, organizations should conduct a risk and vulnerability assessment on their network. Risk and vulnerability assessments identify vulnerabilities which can allow professionals to fix them before cyber threats can get through. A good risk and vulnerability assessment will not only identify vulnerabilities to the network/technology, but also vulnerabilities that could occur due to people or processes.
Zach Basford is the Chief Operating Officer of Intuitus Corp., which offers Managed Detection and Response services as well as cybersecurity consulting services, including IRP development.