This week, we'll discuss how to plan for cybersecurity emergencies. We discussed how to identify the right cybersecurity strategy last week, so click here to go read all about it if you missed it. Every business needs a plan to deal with emergencies, and this week we'll cover how to build a cybersecurity incident response plan.
No one plans to fail; however, failing to plan will often lead to a disaster when it comes to cybersecurity risk management. Depending on a business's size and stakeholders (regulators, shareholders, etc.), having a bad plan can actually cost the business even more than if it had no plan at all! We've seen many different versions of breach victims with no plan, good plans, bad plans, and half a plan or less, and our experience is that having the right plan can mean the difference between resolving a serious problem with little to no impact or having a minor issue balloon into shareholder lawsuits, regulatory fines, and other nightmares. Let's discuss how you can prepare for successfully managing a cybersecurity crisis by having the right Incident Response Plan.
Some of the first things to consider when developing an Incident Response Plan (or "IRP") include identifying who, what, when, and how the business will go about handling a cybersecurity incident:
Once the business has answered the questions above in a narrative form, the basics of a plan can be laid out in a business document that is stored in electronic and paper form, in a secure location that is accessible by the Incident Response Team.
The Incident Response Plan is a living document that should be updated at least annually. Many things change in a business over the course of a year, such as Internet service providers, employee positions, and technical information. Relying on information that is out of date is a sure-fire way to create bigger problems, so keeping the Plan up to date is very important.
Make sure that the businesses legal counsel is included in the Incident Response Plan and is also involved in testing the plan. Some organizations may go the extra step of retaining outside counsel that specializes in cybersecurity legal counsel; these firms are invaluable when dealing with regulatory and other legal compliance issues, including notification requirements that vary based on what region the business and its stakeholders exist in.
An Incident Response Plan is only as good as the testing that it is subject to; testing an IRP should be done at least annually. Most of the time, this will involve an Incident Response Tabletop exercise that runs through different scenarios with the Incident Response Team following the Plan so that it is exercised and the Team gains familiarity of the process and outcomes that are likely. Every test will result in lessons learned and potential changes to the plan, as well as experience for the Team members that will pay off in the event that the Plan must be invoked.
Many businesses retain specialized cybersecurity services companies to provide guidance during Incident Response Plan development, testing, and review. Ingalls Information Security provides IRP development, tabletop testing, and reviews to help ensure that the Plan is a functional, living document that can adequately address a crisis in the event that a cybersecurity incident is declared. Contact us today to find out how we can help your organization prepare for a cybersecurity crisis!
Join us next week when we discuss Penetration Testing and why it's a good idea for businesses to get tested at least once a year for holes in their cybersecurity technical controls. Thanks for reading!This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free! |
|