It is difficult to think of any business that isn’t connected to the internet in some way, so therefore every business needs to prepare for the inevitable attack, targeted or otherwise. A cyber Incident Response Plan (IRP) prepares the organisation so that a coherent and coordinated response can be managed, regardless of the situation, and thereby limit the impact that an incident could have on ongoing operations.
To think of this in terms that might be easier to relate to, every organisation will have a fire evacuation plan. If this didn’t exist in the event of a fire there would be panic and the outcome would likely be significantly worse, if for example, the doors and windows were left open. A cyber incident is no different, without a plan, there will likely be panic. Having a plan enhances an organisation's ability to notify and triage incidents sooner and more importantly be dealt with expeditiously at the appropriate level, and consequently minimises the impact that the cyber incident will have. As a result, any direct losses will be minimised, whilst the indirect impacts or risks of potential regulatory fines and brand reputational damage or customer dissatisfaction are also reduced.
This blog explains the process of creating an effective IRP and has been divided into key stages that provide the necessary guidelines to achieve this goal. However, before thinking about getting into writing an IRP, there are some critical analyses to be undertaken and documented capturing the organisation's key processes and procedures and assets and risks. Without this first step any IRP is likely to be significantly lacking in its effectiveness – definitely not what will be required during any incident!
Pre-IRP work streams
Before starting to design a plan of how an organisation should respond in the event of a cyber-attack, it will pay huge dividends to clarify a number of key things, which will also support and inform both Business Continuity requirements and Disaster Recovery priorities, namely:
- Firstly, understand critical business functions and processes – how they work, what value they provide to the business
- Secondly, identify component parts of systems and infrastructure that are key to support the critical business functions/processes – effectively drawing a map of dependencies including where use is made of third parties
- Last, but by no means least understand and model how the critical business function/process would react to the most likely threats to the organisation
Some, if not all of this activity may seem particularly onerous, but will likely prove vital in the event of an incident, to support properly informed decision making on containment actions that may need to be considered.
Creating a triage matrix and allocating roles and responsibilities
Having conducted the aforementioned activities, this information now needs to be prioritised - what is the most critical information, most important process, supplier that the business are most reliant upon? Listing and prioritising the results and assigning severity classifications to each element will then allow the organisation as a whole to better understand what is important to it, as well as the risks surrounding the people, processes, technologies and information that the organisation uses.
Once the prioritised list has been completed, the next step is to decide who should be involved at each level of severity, as well as what the escalation procedures should be at each stage. This element of the plan should be intrinsically linked to both the IT Incident Management processes as well as any extant Crisis Management plans and procedures, as any cyber incident may well start off as an IT incident, but could well end up becoming a Crisis requiring input and support from across the wider organisation including but not limited to Legal, Marketing, PR, Human Resources, Risk Management, Operations and Facilities.
It is also a good idea to think about things from a People, Process and Technology (PPT) perspective, as one of the three is often overlooked by teams formalising Incident Response plans.
- Including the right people in the Cyber Incident Response Team (CIRT) will allow a timely and coherent organisational response
- Simple and robust processes will support situational awareness and reduce confusion
- Appropriate technology to support the CIRT and processes will streamline and expedite incident resolution
- Pre- agreed plans will speed up response and pre-set delegated authorities also saving valuable time but retaining control.
Define each step of the overall plan
The plan should consist of clearly defined steps to take when dealing with an incident as well as how to classify an incident at the outset – this helps everyone understand what the problem may be. The following specific aspects should be covered:
- How to log, escalate and report an incident
- Prioritisation and communication
- Roles and Responsibilities
- Contact details for:
- Incident Response team members
- Relevant 3rd parties
- Wider stakeholders
- Insurance policy details (if cyber insurance held)
- Links to playbooks to support the response to specific scenarios and containment or eradication strategies
- Links to Business Continuity, Disaster Recovery and Crisis Management Plans
- Post-incident actions to learn from and improve incident handling
Conduct a coordinated rollout
Arguably the most important step, without which much of the other work is somewhat irrelevant. Having a rollout plan is paramount for getting the Incident Response strategy understood and adopted by the entire organisation. Ideally, this would be achieved by running a simple table top exercise to talk through and reinforce key elements of the plan – this will also highlight any areas where the plan needs to tweaked or an element is missing.
Business as usual?
Now that the plan has been incorporated into the business, that box has now been ticked and job well done, right? … Not quite.
The plan needs to be kept up to date in order for it to remain accurate and useful. As an organisation changes or evolves, then so must the plan in order for it to still be of any utility – if the business moved into new premises, but the fire plan from the previous premises was used in the event of a fire, it is unlikely that it would be of much use. Ditto for an IRP, IT upgrades, changes to company structures, new suppliers, the list goes on, but all changes need to be incorporated into the plan for it to retain utility. We would recommend a review of the plan and exercising it at least annually, which can be done internally, but often this can be the CIRT marking their own homework, who won’t necessarily notice any gaps or shortfalls. Regular exercising of the plan will also develop confidence in the procedures and ‘muscle memory’ which will kick in in the event an actual attack.
Cyber IRPs are essential to ensure that the organisation minimises both the direct and indirect impacts that cyber incidents can cause. Cyber-attacks continue to evolve with some becoming increasingly indiscriminate, so unfortunately it is almost inevitable that one will befall every organisation sooner or later. With that in mind, it is worthwhile being as prepared as possible – having a plan will minimise the impact. It is also well worth considering what the first question from either the media or regulator is likely to be – “what had been done to prepare?”