A Guide to Cyber Security Incident Response Planning

A Guide to Cyber Security Incident Response Planning

Cyber attacks are one of the most common incidents that any organisation can face. In fact 39% of businesses in the UK reported a cyber security breach or attack in 2020. Every cyber incident no matter how big or small will initiate a cyber security incident response effort aimed at mitigating the impact of the event, limiting the damage to the organisation’s operations, finances, and reputation. However a successful cyber attack incident response begins long before an attack actually takes place. 

Cyber security incident response planning requires an understanding of where an attack could come from, and creating plans for each attack vector. Included in those plans are preparing teams for the incident and setting out clear communication plans.

Cyber attacks really are that common

83% of organisations in the UK reported that they identified phishing attacks directed at their organisation in 2020. Phishing attacks are a form of social engineering where criminals send fake emails to an organisation’s staff to either gather useful information such as email addresses, bank account details, or even passwords; or they are used to get users to download malware through a link or attachment.

While phishing attacks are fairly common, it is the far more destructive ransomware that makes the headlines. Ransomware is growing in scope and destructiveness, as are some other forms of cyber attack such as viruses, spyware or malware, denial of service attacks, or hacking of accounts. Organisations operate under constant threat of a cyber attack.

Preparation is key… What should go into a cyber security incident response plan?

The Cyber Security Breaches Survey found that just 31% of businesses and 27% of charities in the UK include cyber security threats in their business continuity plans.

There are many variables to include in a cyber attack incident response plan, but just some of the elements to consider include:

Connect detection controls to a response platform – You can’t respond to incidents you don’t detect. Make sure to get early warning of an attack through effective detection controls and have an efficient security operations centre who can mobilise quickly in an attack.

Integrate detection controls with a mass notification system that can alert IT response teams and mobilise them into action as soon as an attack is identified.

Create incident response playbooks – Go further than an incident response plan – create a playbook. A playbook will include all the information, contact details, step by step tasks the cyber attack incident response team need to carry out in order to respond to the incident. Included in the playbook will be written guidance on who to notify, including regulators, and communications plans for employees, stakeholders, and the public.

Cyber attacks inherently affect IT systems, so it is important that the playbook is stored somewhere secure, and accessible when the IT network is not working.

Move incident response plans off the page – Test incident response plans with tabletop exercises, or rehearse them with full cyber attack simulations to see what works and what doesn’t work. Acting out cyber attack incident response plans will ensure that everything is covered in the plan, and that everyone knows what to do in the real thing.

Help employees stay safe – It’s no coincidence that phishing and other forms of social engineering are the most common form of cyber incident. Humans have long been seen as the weakest link when it comes to cyber security, and attackers exploit their lack of awareness. Engage employees with the cyber security programme, and train them to become security champions, protecting themselves and the organisation’s network.

Review cyber security incident response plans regularly – Things change. So don’t forget to update plans when they do. When new systems come online, add them to the playbook. Review the list of incident responders and their contact details to ensure that it is as up to date as possible.

Spring into action – speed is essential in a cyber security incident response

When an attack occurs, time is of the essence. Make sure that the incident response team is made aware of the attack as soon as possible with an integrated IT alerting system that will bring the team together in a matter of seconds.

The plans and playbooks are crucial at this point, so it is vital that they are readily accessible at the teams’ fingertips. Most of the first few tasks should already be done – the incident response team should know how they are, the Lead Investigation Officer should already be in place, tasks should be mapped out, and communications plans should be in place.

With that said, some of the activities that follow a cyber incident include:

Quickly contain the breach – Understand which servers, devices, systems are impacted and take them off line as quickly as possible. Disconnect everything from the internet while searching for the full scope of the attack, and disable remote access. Change passwords for all systems immediately.

Assess the breach – Gather more information about the breach. Is it a stand alone attack, or are other organisations also affected?

Log everything – Keep a comprehensive log of the incident and response, including when the incident occurred, how it was discovered, the actions undertaken to manage it, the members of the incident response team, and more.

Prioritise what to work on when – Information about the criticality of certain systems, and what to prioritise should be in the cyber security incident response plan. Of highest priority are the systems required to operate, or to return to operations as quickly as possible.

Communicate with stakeholders – Notify employees, stakeholders, customers, and the public as soon as possible. Contact regulators and insurance providers in the first instance.

Recovering from a cyber attack

The initial response to a cyber attack is only the start of an organisation’s recovery from the incident. Once the heat of the response has ended, that’s when the post event analysis kicks in to learn the lessons of that attack and the organisation’s response to it.

Analysing the incident response is important. The organisation will want to understand which containment actions worked, whether the cyber attack incident response plans were effective, and the losses and costs of the attack. Reports and logs that keep record of every action carried out during the response will support the organisation in their efforts to learn from the attack and improve their response in their next incident – whatever it may be.

Supporting your cyber security incident response planning

Creating cyber security incident response plans may seem like a daunting task, but there are platforms available to support organisations through every step of the planning, response, and analysis stages.

At Crises Control, our incident management platform is just one part of our powerful mass communications platform that will support your cyber security incident response with real time alerts, secure, available messaging, and the ability to prepare and execute messaging between the incident response team and the organisation, and with employees, the public, customers and suppliers, and other stakeholders.

Schedule a demo to learn more about how Crises Control can support your cyber security incident response planning today.