Person holding head in hands and sitting at a desk

Why Your Incident Response Plan Won’t Save You

In Incident Response by Stephanie Ewing

Do your spring-cleaning plans call for refreshing and improving your cyber security incident response plan (CSIRP)? If so, that means your organization has a CSIRP – and hats off to you, because you’re in the minority.

As much talk as there is in cyber security circles and conferences about developing and improving incident response (IR) plans, most organizations don’t yet have one. In 2018, the third annual “Cyber Resilient Organization” study, conducted by the Ponemon Institute, revealed that fewer than one in four of respondents said their organization had a formal CSIRP.

Drafting a CSIRP often falls in the realm of “dreaded documentation.” So if you have a plan, that’s an important accomplishment for your security program to deal with potential cyber security incidents and improve response time. However, I’m completely sympathetic to organizations that continue to grapple with putting pen to paper – the struggle is real.

In my experience, though, most organizations that DO have a CSIRP are concerned it won’t help them as much as they’d like during actual or potential incidents, or a data breach. The most common thing I hear from my clients is, “We have a plan, but we’re not happy with it.” This is backed up by statistics from the July 2018 Quarterly Incident Response Threat Report from Delta Risk partner Carbon Black, in which 59 percent of respondents said their organizations take a reactive, rather than a proactive, stance toward incident response.

If you can relate to that, don’t fret. Here are my top four recommendations to help you improve your plan if you have one. And if you don’t? You can still apply these tips when you go to create one.

Do you want to improve your incident response plan or create one? Contact Delta Risk today.

Is This Gilligan’s Island?

Does your plan include updated contacts, along with detailed processes and procedures for employees and vendors outside your security incident response team members? Cyber security incidents and data breaches touch all areas of the business. Your plan – including your communications plan – needs regular reviews and inputs with a wider audience, not just your immediate coworkers.

Take every opportunity to engage stakeholders – even board members, possibly – before you’re faced with cyber threats that may range from a business-crippling cyber attack to a phishing attack. Although plans vary, consider adding representatives from human resources, marketing and corporate communications, the risk and compliance team (if it sits outside security), and even financial officers and law enforcement. As we saw in the recent Norsk Hydro case, the Chief Financial Officer (CFO) ended up on the front lines – and in the headlines – when the international firm was hit with a crippling ransomware attack.

One of the other things to consider that many organizations haven’t included in an updated plan is cloud applications and infrastructure. Are those under the control of the security team, or DevOps? We’re seeing more and more companies blindsided by a complete lack of any mention of or accounting for things like their Amazon Web Services (AWS) accounts, Office 365, (or basically anything even mentioning the cloud) or considering how to improve their investigation and containment capabilities in the cloud. If you’re not thinking about unprotected S3 buckets and misconfigured accounts that could leave data open to anyone, think again.

We Have Cyber Insurance?

These days, more and more organizations have a cyber security insurance policy, but most CSIRPs don’t even mention it. Your CSIRP needs to contain the pertinent information regarding triggers, contacts, and claims process requirements.

Everyone on the team should be aware of what’s included in the policy and who the primary contact is in your organization for initiating a claim. While you’re at it, add a reference list for all your third-party contractors that may be called upon in an incident, along with details of their roles and responsibilities in case of a security event or security breach.

“Who’s on First, What’s on Second, I Don’t Know is on Third…”

As I touched on earlier, your plan should clearly articulate roles and responsibilities. So many organizations shy away from making assignments in advance. The plan should define roles, provide assignment guidance based on incident severity and scale, and designate backups. Given how often most people change jobs and roles, you should review this at least annually.

One of the biggest mistakes I see in my experience is security teams working in silos and not looping in the rest of their colleagues who can share knowledge and drive buy-in for the plan in other departments. That might include your DevOps or cloud applications management team, for example, as we just mentioned above. And if you do include other folks, make sure they know about the plan – see my next point below.

Do I Need Hatha Flow or HIIT Class?

Exercise your plan. Let me clarify my point – exercise the plan. Did I mention you should take every opportunity to engage stakeholders? Of course I did. This is a no brainer. I don’t care if you stick with table top exercises or conduct red/blue team drills, there is no negative outcome from exercising – it’s all good.

Exercises raise awareness of threats and new trends. They also give teams the opportunity to work on response plan improvements in a safe, risk-free environment. This is the best method to train people on their roles and responsibilities.

Summary

Most cyber security incident response plans are a work in progress – and that’s to be expected. In a real-world event, your team will operate more confidently and efficiently if:

  • They understand the broader perspective of business stakeholders
  • They know how to utilize your third-party resources
  • They clearly understand roles and responsibilities
  • They have exercised their plans

So dust off that plan, take it out into the sunlight, and give it a good look. By taking steps now to improve your CSIRP, you’ll be much better prepared to face whatever threats come your way, whenever they hit.

Do you want to improve your incident response plan or create one? Contact Delta Risk today.