Failure to respond effectively during an incident involving loss of information asset confidentiality or integrity (not to mention availability!) can impact company performance, reputation, and individual careers. The purpose of incident response is to reduce the damage caused by an event, and there is a critical process that can give you the best chance of making an incident manageable; instead of a headache or worse.
In the past, a company hardly ever needed an incident response plan, but those days are gone. Between the real world events affecting their competitors, and in-house contract obligations, having an incident response plan is the ‘new normal’ for all businesses that manage information assets; that pretty much means all companies.
It isn’t unusual these days for a company to need to use its incident response program at least annually, so given today’s legal environment it would practically be a violation of due care not to have one. Thus, the chances are you have an incident response plan, but how do you know your plan will work during a real world event? As events become more frequent and with a greater business impact, what one key activity can be performed that will markedly increase your chances for success when an incident occurs?
The key to effective cyber incident response is exercising the plan
There are many ‘key’ controls in the riddle that is information security. For example, when reviewing business continuity plans (BCP) look for the business impact analysis (BIA). The BIA is ‘key’ to the BCP; no matter how many pages make up the BCP, if there isn’t a BIA then it is reasonable to assume the BCP is not in alignment with the business needs. For Incident Response (IR) plans there is a corresponding key control. The key to effective Incident Response is in ‘exercising’ the plan and testing that it actual works.
There are many elements to a successful incident response program:
- Listing your team members and contact their information
- Involving Legal
- Having a PR firm engagement letter
- Using the Right Tools
- Establishing escalation thresholds
- Having premade breach letters
But the key, above all else, is ‘Exercising’ the Plan.
The reason why exercising the plan is critical is that without practice, timeliness, accuracy, and precision are unachievable. The plan might look good on paper; it may even be duly approved, involving the right process and tools. However, not exercising the plan before an incident is an almost guaranteed recipe for response failure.
The damage caused by an event is minimized by having a timely response, accurately determining the cause and scope of the incident and precisely responding to remove the threat without affecting the rest of the business; none of this is achieved without practice. It takes more than a firehose to be a firefighter, and it takes more than just having a plan to have an effective response to an incident. It takes practice, and so exercising the incident response plan is good for business.
Responding strongly to an event and minimize the damage caused
A company that can respond strongly to an incident has less risk of reputation or financial loss. If for no other reason than the incident is managed in the shortest possible timeframe. It is, therefore, important to determine what makes an effective exercise.
An incident response exercise, first and foremost, must not be afraid of failure or to exercise the plan to real world events. The goal is to gain the muscle memory for an actual incident, not just to ‘say’ you’re ready, but ‘know’ the plan and the team are ready. If it appears that there is too much pressure to ‘pass’ an incident response exercise, hire some outsiders to perform the exercise with you. Our experience suggests that if an exercise doesn’t find at least two or three big things (typically it is more like ten for the first exercise) that need addressing, you probably didn’t run your exercise correctly.
An effective exercise has three critical elements as a foundation
An effective exercise is run best by two person teams. It turns out to be a somewhat futile effort to have a single individual run an incident response team exercise. There is so much information passed between incident response team members during the exercise that it is not practical to facilitate the exercise and identify the critical gaps at the same time.
Exercises should be run often; once a quarter is ideal. To run an exercise once a year isn’t sufficient to be very useful because the goal is to create muscle memory across the incident response team, and across the business. Note that every dollar spent in practice will likely pay for itself many times over during a live event when swift and efficient response counts.
Exercises can start theoretical, using tabletop exercises, then, once all incident response team members and senior management understand their roles, tabletop, and functional exercises are combined. An important aspect of incident response exercises of any type is that they give immediate feedback to the incident response plan. You’ll hardly ever run an exercise without seeing a corresponding change to the incident response plan. In fact, the After Action Report (AAR) of an incident response exercise is critical tool in creating an effective plan.
So practice and reduce the overall costs of your next cyber security incident
Cybersecurity incidents are expensive, potentially very expensive, and how your business reacts to an event can either make it less or more costly to recover from. A company that exercises their incident response plan is more likely to:
- Reduce the overall financial impact of an event
- Have an accurate incident response plan
- Limit the damage of an event to affected business functions only
- Provide confidence to the senior management team
- Limit the overall reputation damage done to the business
So ask yourself, what did you find and address the last time you exercised your incident response plan?