How to Create an IT Incident Response Plan for Your Business
Learn how to build an incident response plan for your business so you can protect private employee, customer, and company data when a cyberattack hits.
- Why Businesses Should Prioritize Incident Response
- Creating an Incident Response Plan for Your Organization
- 6 Steps for a Successful Cybersecurity Incident Response
- Maintain Cybersecurity Best Practices to Prevent IT Incidents
Cybersecurity incident response should be a daily concern for businesses of all sizes. The Identity Theft Research Center reports nearly 281.5 million people have been affected by some sort of data breach in 2021. And this year’s numbers for cybersecurity incidents have already surpassed 2020 totals by 17%.
In May 2021, ransomware attacks hit a major U.S. insurance carrier, shut down one of the country’s largest fuel pipelines, and halted operations at a global beef manufacturer. In June, another IT incident exposed the private personal data of 700 million LinkedIn members. It’s not just large businesses that are susceptible though. 43% of cyberattacks target small businesses—many of which have no IT incident response plan in place.
As IT security incidents increase in volume and severity, every business needs a plan for keeping employees informed and connected if critical IT systems are compromised. Below, we’ll outline the process of creating an IT incident response plan to help you protect private employee, customer, and company data.
Why Businesses Should Prioritize Incident Response
Cybersecurity incidents cost American individuals and businesses billions of dollars each year—approximately $3.5 billion in 2019 alone, according to the FBI. From phishing and malware to stolen passwords or unencrypted employee laptops, there are a number of ways hackers can gain access to private information.
When business systems or data are compromised, it disrupts vital business functions, including service delivery to your customers. Your systems could be taken offline or taken over without your permission. Hackers will have access to unauthorized sensitive information, and, depending on your industry, you could face legal and compliance violations. Between legal fees, cleanup costs, lost sales, and more, IBM reported an average cost-per-incident of $4.24 million.
But perhaps the highest toll of a data breach is the damage caused to consumer trust and brand reputation. With the right incident response, your business can better navigate the challenges of a cybersecurity event and maintain good standing with your customers and public opinion. And the first step to a good response is to create a plan.
Creating an Incident Response Plan for Your Organization
An IT incident response plan is a set of written instructions and procedures which outline how you’ll respond to attempted or actual attacks. The ultimate goal is to prevent, detect, and mitigate cybersecurity incidents. Having an incident response plan in place allows your company to:
- Identify security incidents as early as possible
- React quickly to minimize damage
- Reduce system and business downtime
- Prevent future attacks
Incident response (and the creation of your plan) should not fall completely on the IT team. Instead, think of it as a company-wide initiative that includes ongoing education, training, information security, and the use of data safety practices.
6 Steps for a Successful Cybersecurity Incident Response
The SysAdmin, Audit, Network, and Security (SANS) Institute’s framework is a widely used and respected approach to incident response. SANS is the world’s largest provider of training, education, certification, and research about cybersecurity, and they also operate an early warning system for global cyber threats. Here are the incident response steps recommended by the SANS framework:
Preparation can make or break the effectiveness of your incident response process to a data security threat,—thus a lot goes into this phase. The goal is to get all your systems and procedures ready so that you can react quickly when a threat comes to light. Start by reviewing existing data security protocols and refining them or, if necessary, creating new ones.
Other key actions in the preparation phase may include:
Use a risk assessment to understand the different types of cybersecurity threats that could affect your business, assess your company’s vulnerabilities, and assign priorities to assets based on their value.
Hold tabletop exercises to run through potential scenarios, ask questions, and consider what-ifs from a place of calm (vs. after a threat or an attack has occurred). You can draft an After Action Report to help you tune your plan after trial runs.
A comprehensive incident response plan should include specific instructions for before, during, and after an attack. For instance, who will be responsible for threat intelligence, who will they contact and when, what steps should be taken, and in which order.
Assign roles and outline who is responsible for each action of the plan. Ideally, an incident response team will be a cross-functional group including members from IT, operations, legal, and communications.
Identifying threats early on is critical for damage control. Threat identification includes processes, tools, and procedures used to detect the nature, source, and severity of potential attacks to your IT infrastructure. If you don’t already have a threat process in place, the response plan is your chance to do so.
Consider what monitoring tools, intrusion detection systems, and firewalls you will use to identify risks and determine their reach. Abnormal user or system behavior is often the first clue that something is amiss—thus, the identification process should include collecting and monitoring ongoing data such as error messages, event logs, and login attempts. When a threat or a breach is identified, notify the response team so they can launch containment and communication plans immediately.
Once your organization detects an incident, containment becomes top priority. Containment methods depend on the type of threat. Regardless, acting fast is key to minimizing and preventing further damage to your systems, data, and business continuity. Containment generally includes the following sub-phases:
For example, isolating the network segment that is under attack, taking an infected server offline, and redirecting traffic to a backup or standby system.
This includes protective measures like adding access controls to unaffected systems or blocking IP addresses and providing temporary fixes while preparing for the recovery phase.
By this point, your IT and incident response team should be able to see and understand the full extent of an attack. They will begin removing malicious content, viruses, malware, or other threats and restoring affected systems while being careful to minimize data loss. This key stage of effective incident response also entails identifying the root cause of the attack and applying basic security best practices to prevent future incidents. Other critical eradication tasks might be to reinstall or reimage hosts, reset passwords, and adjust firewalls or network configurations.
Next, the recovery phase begins. At this point, the PR or external crisis communications team will focus on proactive communication and service recovery with customers. Meanwhile, the organization should be focused internally on restoring the data to its most recent clean version, then testing and validating affected systems before carefully bringing them back online. You should monitor system behavior closely throughout recovery to ensure that systems are not re-infected.
A key goal of recovery is to do everything possible to prevent another incident in the future. Preventative actions might include additional encryption methods, setting up multi-factor authentication for devices, performing system updates, and investing in security and backup.
6. Lessons learned
They say hindsight is 20/20, and that’s certainly true with threat intelligence and response. For this reason, the SANS incident response framework recommends taking time to reflect after a cybersecurity incident affects your company. No more than two weeks from the end of the incident, the response team should begin this process, which should include:
An IT incident report with complete documentation will come in very handy for response to future incidents—and it’s necessary if you plan to press criminal charges.
Conduct a meeting with your response team and other key stakeholders to go over the report and discuss lessons learned.
Using all evidence, documentation, and findings from the recap meeting, update your response plan based on what you learned.
Maintain Cybersecurity Best Practices to Prevent IT Incidents
As you can imagine, incident response is an ongoing process—ideally, one that improves with each round through documentation and feedback. Another way to protect your organization is by promoting a culture of data safety within your company. Teach your employees about security best practices and work to maintain them. For example:
- Keep hardware and software up to date
- Use a VPN to privatize connections
- Have an action plan for securing employees’ mobile phones
- Provide firewall security for your internet connection
- Make sure all laptops have security software installed
- Train employees about smart password use
- Limit employee access to sensitive data and information
- Encourage employees to back up their devices regularly
- Require employees to change passwords every three months
The reality is, cyberattacks affect companies every day, regardless of industry, size, or number of years in business. Creating a company-wide incident response plan is no small task—but simply hoping for the best isn’t an option. When the inevitable does occur, you’ll be happy you had a plan in place.
As with any emergency, communication is critical during an IT incident. You need to notify employees about system outages, communicate with the response team, and field questions—all during a fast-moving and high-stakes situation. An emergency notification software solution can help you streamline communication during this time. Having a place to store your contact records and communication templates helps you plan for and organize your communication around these events and saves your organization time and stress.