Developing an incident response plan

Being prepared to respond to a cyber security incident

Cyber incidents can occur at any time and can take many forms. An incident may occur in critical systems at a time when key staff are unavailable, or in rarely used systems that may not have a clear immediate response, or in third-party systems that require outside involvement.

An incident response plan determines how your organisation will respond to a cyber security incident. Every organisation should have an incident response plan in place and should regularly review and test it. Having a plan in place can dramatically limit damage, improve recovery time and help safeguard your business.

Crucially, incident response plans must have buy-in from the business executives; they are generally the key decision makers and the ones facing the public when there is a significant incident. They may also be the legally responsible office holder. Without their involvement or support, plans can be completely disregarded the moment there is an incident.

These plans also help make cyber security front-of-mind for CEOs and business executives as they detail the known threats facing the business and the risk of compromise.

Effectively dealing with an incident

One of the most crucial elements of an effective incident response process is ensuring the right people are involved in the process as early as possible. This must be established before an incident occurs to enable a timely response, and must be recorded in a place that is easily accessible and made known to staff. This information must be regularly reviewed and updated.

Having contact information for the right staff covers more than just ensuring that right management chain is recorded. It may also include representatives from other technical teams, non-technical teams, or external parties if there are third parties involved.

Content of an incident response plan

Incident response plans should be accessible by all staff and kept current. There are set standards that can assist in developing a plan, such as in ISO 27035-2.

A good incident response plan should include the following:

  • Analysis of the threat environment including the likelihood and severity of potential incidents. Consider industry-specific threats, the type and value of data you hold, third-party networks and the current cyber security posture of your networks.

  • Identification of key assets, data and critical systems. What are you working to protect and why does it need protecting?

  • Plans for each major incident type and different types of data that could be compromised. For example, the theft of personnel data would have a very different response to a ransomware attack. These plans should include timeframes and objectives.

  • Key roles and responsibilities of management and staff. It’s crucial all parties involved understand the reporting lines who will be making decisions, what the decision thresholds are and what involvement there is from senior management.

  • Key tools including contact lists, checklists and guides for use during the response. This should include hard-copy printouts as the incident could make your systems unusable.

  • A process for alerting necessary stakeholders including the Australian Cyber Security Centre, board members, suppliers and external agencies that may be impacted.

  • Public relations and media management. What advice can you give your customers/clients? Who is the media spokesperson and what can be said to the media? If businesses fail to manage this well, the reputational damage can far outweigh the actual business cost of the incident.

  • Arrangements to regularly review and exercise the plan. A plan might look good on paper but it needs to be exercised regularly to ensure it is effective. Make sure there is a review schedule that considers the frequency of changes to the organisation or the threat environment. For a large organisation that has frequent structural changes or new platforms, consider reviewing every three months. For a smaller organisation, perhaps every six months.

  • Post-incident review and reporting. It’s important to document the incident details and response actions, collect the lessons learned and update the incident response plan to improve future responses.

Other actions worth considering include:

  • Personal impact: many cyber security incidents have a very real impact on individuals. What support can be provided and how will you manage the human side of this incident?

  • Legal exposure: many cyber security incidents result in court cases that can be very expensive. Ensure your legal team/service provider is consulted in the drafting of the incident response plan.

  • Mandatory reporting requirements: if there is a breach of personal data, do you need to report this to the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme or under the General Data Protection Regulation (GDPR)?

  • Business consultation: cyber security incidents are not just an issue for the technology team; they have impact across the business. Consulting on this plan will also assist internal coordination during an incident.

Being fully prepared is your best defence.