Five key considerations for a robust cyber incident response plan

We explain five key considerations for ensuring a rapid cyber incident response

In the present era of unparalleled data proliferation and threats to cyber security, private and public organisations are under significant pressure to prevent cybersecurity breaches, and if they do occur, act on them with urgency.  But despite these threats, Worryingly, 70%  of organisations do not have a cyber incident plan and are therefore completely unprepared for such an event.

This pressure is in part due to regulations including the GDPR.  While the GDPR heralded a new era of improved data protection for individuals across the EU, it also imposed strict rules for handling data breaches, including:

• A timescale of 72 hours during which any breach must be notified to the relevant regulatory authority.
• If there is a ‘high risk of adversely affecting individuals’ rights and freedoms’, then those individuals must be informed without delay, and;
• Any personal data breaches must be fully recorded.

And for any business hit by a cyber incident, there will be another rather pressing priority; getting business back to normal operations.

For any firm, having a thoroughly documented, communicated, and tested cyber incident response strategy in place is no longer optional, it is essential.  Here are five of the main considerations when developing a cyber incident response strategy:

1)    Rapid response will instil confidence in business partners and clients

While some businesses might decide to take the risk and handle any cyber breach as it occurs, this is certainly not a professional and responsible attitude.  A single event, no matter how minor can escalate, and if your clients or business partners are affected, or hear about the matter, they will likely lose confidence in your willingness to invest in protecting their interests.

Business partners will not only be concerned about vicarious reputational damage, but they will also want to ensure their systems have not become contaminated, and the ongoing transactions are secure.  Beyond this, employers won’t take lightly to being dropped in the deep end of a cyber emergency when there has been little preparation for its eventuality, and equally, regulators will be rattled due to the risks being imposed on those they are charged with protecting.

By committing budget and resources that are necessary for a solid cyber incident response plan, the contagion of lost confidence can be avoided, and as a result, your business will not need to switch into ‘damage limitation’ mode for the next several months.  Investment of this nature is akin to insurance; you hope you will never need it, but if you do, it can limit business exposure dramatically.

2)    Use technology to respond quickly to a cyber attack

Used effectively, technology can be setup in such a way as to respond to any threat automatically.  Network monitoring can be used to automatically close off breached ports, and potentially close off sensitive network segments, or IT services.  In addition, by using technology designed to ensure business uptime in the event of an attack, including resilient and load-balancing, backup and recovery, and failover systems, the potential for a prolonged outage is minimised.

3)    External cyber incident response providers can act immediately

A pre-established retainer for incident response services increases your capability to respond efficiently to unforeseen cyber-attacks. Without this in place the response time to incidents is drastically increased as there is no pre-existing relationship with an incident response service provider. Even if a provider is sourced mid-way through the incident there will be further delays due to the on boarding process and internal approvals. Moreover attackers can utilise this time to cause more damage to the business before the investigation is even started.

When a cyber-attack occurs, you will not have time to upskill staff or put in place new measures and procedures; you need to act immediately.  By partnering with an external provider to manage any cyber security breaches, you can be assured that resources will be available regardless of the time of the incident, and they will have the human and technical capacity to take immediate action.

Lineal Cyber Incident Response Team is proven and experienced within their field. We provide remote and/or onsite investigation support to help organisations without a retainer to quickly mitigate the impact of an incident and quickly restore business as usual. An incident response retainer is an annual subscription that includes onsite readiness, pre-negotiated terms, and SLAs all to enable customers to resolve incidents quickly, prevent reoccurrence and keep executives up-to-date.

4)    Effective governance is the key to a successful cyber incident response

Regardless of whether you engage a cyber incident response partner, it is still vital to ensure a clear governance structure is in place.  This means that should an incident occur, roles and responsibilities are clearly understood across all business functions (including IT, legal, business, and operations) a communication plan is in place, and the policies and procedures are fully understood and are ready to be followed.

Having a structure in place is vital, but without practice and rehearsal, there is a chance of failure to respond effectively.  Often even the smallest omission can cause problems.  It is also important to consider what happens when those with key roles are unavailable or absent on the day of an incident.  For example, while you will have a primary incident lead in place who will liaise with the urgent response team to co-ordinate efforts, what happens if they are on holiday?  Ensuring essential resources are always available to enact a full incident response means such events will not occur.  Likewise, if the cyber attack takes out the corporate network, how will you communicate and co-ordinate efforts?  And what happens in the small hours when your business is closed or operating a skeleton staff?

5)    Remember other obligations during a cyber incident response

During the emergency response, it is natural to want to simply resolve the matter by focusing purely on the problem at hand.  But it is important to consider the need to:

• Preserve any evidence relating to the cyber breach
• Keep records of what happened
• Learn lessons from the incident (on completion of the response).

But by not carrying out these three steps correctly, you risk compromising any future action by a regulating authority, in addition to harming any possible investigation into the perpetrator of the attack.  And by not learning lessons from the cyber breach, the chances are it could happen again.

As Winston Churchill once wisely stated, “All men make mistakes, but only wise men learn from their mistakes”.

Protect your commercial integrity

Lineal Cyber Incident Response service, along with our industry leading experts, provide the complete assurance you need to protect your assets in a timely fashion, minimising both internal and external impacts from cyber-attacks on your commercials operations.

Our Incident Response Team is proven and experienced within their field. We provide remote and/or onsite investigation support to help organisations without a retainer to quickly mitigate the impact of an incident and quickly restore business as usual. An incident response retainer is an annual subscription that includes onsite readiness, pre-negotiated terms, and SLAs all to enable customers to resolve incidents quickly, prevent reoccurrence and keep executives up-to-date.

To find out more about outsourcing your cyber incident response requirements, please contact our team on +44 (0)20 7940 4799 or email info@lineal.com.