An incident response plan (IRP) allows organizations to adeptly respond to a cyber security incident. The average cyber security incident costs organizations $3.68 million in resolution and containment efforts. Research shows that organizations with effective incident response plans are able to reduce containment costs by 25%. This reduces expenses by nearly $1 million per incident.
Of organizations that qualify as high performers in terms of cyber resilience (i.e, those experiencing a low number of data breaches and business disruptions), 55% have implemented incident response plans. Among organizations that have a middling level of cyber resilience, only 23% have developed incident response plans.
Why would organizations choose not to develop an incident response plan?
Some organizations cite a lack of staffing to assemble, test and execute a plan. Others cite a lack of proper organizational infrastructure for a centralized management approach.
What is the role of a CxO in the incident response planning process?
For an incident response process to work, plans must have buy-in from executives and high-level decision makers. “Without their involvement or support, plans can be [and sometimes are] completely disregarded the moment there is an incident,” the Australian Cyber Security Centre points out.
What are the basic components of the incident response process?
You’ll want to section your incident response plan into several chapters. These include:
- Prevention
- Detection
- Containment
- Investigation
- Remediation
- Recovery
How can our organization leverage best practices in developing an incident response plan?
Ensure good communication. In developing an incident response plan, be sure to establish an incident response coordinator, who can communicate with the appropriate parties, aggregate information, and provide updates on an incidents’ status as needed.
Provide clarity on calling law-enforcement. Define the circumstances under which it is or isn’t necessary to call in the authorities.
Documentation. Develop a checklist of what your personnel should document as an incident unfolds. This is critical in the event of a legal case against cyber criminals.
Tools. Don’t leave your IT pros in the lurch. You wouldn’t go on a camping trip without emergency provisions. Similarly, be sure that your information technology team has as much emergency software and hardware as possible on-hand in order to reduce the impact of an incident. All of the tools should be easily accessible in a central location.
Public relations management. Be sure to include your PR team in your incident response plan. Define how they’ll address potential reputational damage, and any pending legal actions.
Any other recommendations for organizations?
“Being fully prepared is your best defense,” says the Australian Cyber Security Centre.
For more information on Incident response planning, visit the European Union’s Agency for Cyber Security website, the Australian Cyber Security Centre’s website, or explore the SANS institute’s resources.