Last week, Delta Risk hosted a webinar on the topic of “Data Breach Survival Tactics: Building Incident Response Actionable Response Plans.” Delta Risk Solutions Expert, Stephanie Ewing, and Managing Consultant, Ryan Clancy, were the presenters for this live broadcast (view the on-demand version).
In response to the poll questions, “Do you have an incident response plan,” and “How often do you test your plan,” more than half the audience (56 percent) confirmed that they do indeed have an incident response plan, and 43 percent of those people test their plan annually. Conversely, 14 percent of poll responders revealed that they don’t test their plan.
Here’s a recap of the questions that came up during the webinar.
Q: Which tools and processes create successful incident response outcomes?
Stephanie: Preparation is essential for success. If you have a plan, rehearse the plan, and your team knows their roles, everyone can think and respond faster during a live incident.
A lot of organizations have invested in a virtual Emergency Operations Center (EOC) for emergency situations. I highly recommend that the security teams talk to the emergency management teams to see what tools are in place outside of the corporate network that could be harnessed. A virtual EOC where communications can be shared, and documents can be archived is a very useful tool, especially for companies that have multiple locations.
Ryan: On the tools side, you should harness your ticketing system for documentation, or leverage any documentation system you may already have. You can also set up a call center. If you’re a customer service facing organization, setting up a separate call tree will be key to helping you manage all incoming calls. In addition, you should have a central conference room where all the key players can get together – sort of like an operations center.
There are some other tools I’d recommend that you can keep in your back pocket. One tool would be a file-sharing service like Dropbox or Box or another cloud service.
Stephanie and I’ve seen plenty of file servers taken down during attacks. In these instances, you might not be able to access your files or share files amongst your teams. To keep operations going in these instances, you should find a pre-approved vendor and set up a corporate file-sharing account that’s encrypted so you don’t lose access to your data. Lastly, think about setting up another email service as a backup plan.
Q: What’s your opinion about including a cyber security incident response plan (CSIRP) in a business continuity plan?
Stephanie: What we’ve recommended to a lot of clients is that there should be a connection between the two plans, but you shouldn’t merge the plans into one big plan. Although there’s some overlap in processes, roles, and responsibilities, and a cyber security incident can cause a business continuity issue, these individual plans should serve different purposes.
Both plans should also be complementary. You can use the business continuity plan to develop call trees and establish roles for incident responders. In the appendices or annex sections, you can cross-reference both plans.
Q: What are the biggest challenges small businesses (75 people or less) face for building and following incident response plans?
Stephanie: The biggest challenge I’ve seen is a lot of companies of this size outsource or co-source their resources, which can impact the planning process. You need to verify who those third-party vendors and partners are, and make sure they are part of the plan. That means practicing and exercising with those partners to overcome any potential planning and response disconnects.
Ryan: Knowing what you can do and what you can’t do is always the challenge for businesses of this size. You need to be realistic in determining if you have the in-house resources to build and follow a plan, and if not, you need to outsource. Depending on your business priorities, you may want to have a company that you can tap into when the need arises.
Q: What are some of the cyber insurance considerations small businesses need to make for incident response?
If you have cyber insurance, there is often a pre-vetted list of companies that you must go through. If there is a company you prefer, make sure to talk to your insurance company to have the company of your choice on your list.
For example, you may have to work with multiple incident response vendors to remediate an incident because of conflicts with your insurance company – and that can waste a lot of time. After all, any company that comes to your case needs to go through an archeological dig of data and evidence, and if they’re weeks behind, that information can become obsolete.
You don’t necessarily have to pay a retainer. Keep a list of phone numbers of companies that are in your area. Any other thoughts, Stephanie?
Stephanie: I completely agree. More recently, I’ve come across a cyber insurance policy that was truly an insurance policy. It didn’t require specific pre-approved vendors but it’s very rare. Most of the cyber insurance policies are really pre-paid retainer contracts and they specify vendors. You need to make certain selections.
For a lot of organizations, these insurances are being purchased by the risk department or financial services. In those instances, the security teams and supporting teams don’t get the chance to look at the nuances of the contract language. There’s prep work involved with those type of policies to determine if you can use the policy and how you would use the policy.