Cyber Security Incident Response Plan
What It Is, Why It’s Important, and How You Can Build One for Your Business
Cyber security threats in Australia abound despite measures implemented by organisations and governmental authorities, such as the Australian Cyber Security Centre (ACSC), Defence Intelligence Organisation (DIO), and the Australian Criminal Intelligence Commission (ACIC). The ACSC’s Annual Cyber Threat Report for 2020-2021 outlined several key cyber threats reported via ReportCyber including fraud, shopping, and online banking cybercrimes.
Furthermore, the increase in the volume of cyber attack reports has become a pressing issue, with one cyber attack being reported every eight minutes. In fact, 63 per cent of Australian organisations are expecting to deal with a cyber attack within the next 12 months.
Cybercriminals are targeting high-profile or high-value entities, stealing or encrypting sensitive data that they will then exploit for profit. Such data breach can spell serious implications for a company, as it can adversely affect its legal or commercial status and reputation and potentially cause loss of its intellectual property.
Nowadays, cybercriminals use sophisticated technology to access your database and steal valuable information. How can you protect your business from cyberattacks such as data breaches? What’s the best way to prevent or combat security incidents?
By having a cyber incident response plan in place, not only are you protecting your data and other valuable assets from data breaches, but you’re also ensuring business continuity.
What is a Cyber Security Incident Response Plan for IT?
Are you prepared to face a security breach or respond to a cyber attack against your organisation?
A cybersecurity incident response plan is a strategy that will enable you to defend your business against a security breach and the consequences of such a cybersecurity incident. It’s a written plan or a set of instructions that will equip your company, particularly your IT and cybersecurity teams, to combat security breaches, such as a ransomware attack, data breach, or identity theft.
It details steps you need to take for each phase of incident response and should include guidelines for your organisation’s roles and responsibilities and communications in the event of a data breach. It should also contain a standardised set of response protocols.
The Digital Transformation Agency’s Protected Utility Program suggests that an effective incident response plan should follow four steps:
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
These phases can be further expanded into six:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
An incident response plan helps you become aware of and address security threats and similar attacks through preparation for and detection and analysis of security events. An incident response plan also promotes awareness of cyber risks and helps you eliminate threats and recover when a breach occurs.
Why Do Businesses Need One?
An incident response plan should be a part of your business continuity plan, along with a risk management plan and a business impact analysis.
While most organisations surveyed in the 2021 Australian Cybersecurity Risk Report consider their ability to defend themselves from threats as either good or very good, one in five Australian businesses aren’t that confident about how they store their data. According to the report, the three biggest cybersecurity concerns that plague organisations are data loss, human error, and insider threats. Moreover, sensitive information such as personal data and financials are expected to be most prone to a cyber attack.
A study by IBM in 2019 noted that a majority of organisations are unprepared to respond to a cybersecurity incident. Furthermore, 4 in 5 Australian respondents lacked a cybersecurity incident response plan that they could apply consistently within their organisation. While some organisations surveyed did have an incident response plan, more than half were unable to test it.
Over the years, network security incidents have affected small businesses and large corporations in various industries worldwide. The average cost of a data breach rose to USD 4.24 million, making it the highest average total cost of the report’s history. The report identified compromised credentials as the most common initial attack vector, with an average breach cost of USD 4.37 million.
Other targets include:
- Business financial details
- Customers’ financial details
- Customer or staff login credentials
- IT infrastructure
- Medical or health data
- Client lists
When a breach or a similar event occurs and you don’t have incident response plans, your security team will struggle to understand and address the situation. This can lead to costly mistakes. Moreover, without incident response measures, you might be subjected to legal obligations. If it’s a significant breach, then you’ll most likely undergo an external audit.
The bottom line is, if you’re storing or dealing with sensitive data, regardless of the scale of your business or the industry you’re in, you can be a target of a cyber attack. Thus, you need to build a solid incident response plan to protect your business and ensure business continuity even after suffering from a security incident.
A Checklist of the Key Components of an Effective Cybersecurity Incident Response Plan
An effective incident response plan should have five key components:
- Straightforward
Addressing a security threat can be challenging and complicated but your IR plans shouldn’t be unnecessarily lengthy. Try to keep it concise to help your members think clearly and strategically even when they’re facing a crisis.
- Simple
This doesn’t mean that your plan should be over simplified. A simple incident response plan is free of unnecessary information and should be written in a way that’s easily understandable to all your team members.
- Comprehensive
Your plan should be all-inclusive. This means also taking into account who you’re dealing with and what they’re capable of. It should outline steps you need to take to counter the attack and mitigate any damage brought about by the data breach.
- Versatile
Threats can vary in their scope and effects. This is why a good incident response plan should be flexible enough for application in different scenarios.
- Speed
When crafting an incident response plan, you should consider how it can equip your team to quickly resolve the issue. You should highlight key steps that your IR team should take as soon as they identify a threat. This enables them to quickly contain the breach. Furthermore, this helps your communications team in liaising with other stakeholders, especially if their participation is immediately required.
Building Your Incident Response Team
When developing an incident response plan, you also need to have an incident response team. These are individuals or groups of people who are tasked to conduct or participate in incident response processes.
There are several types of incident response teams, including:
- Computer Security Incident Response Team (CSIRT)
- Computer Emergency Response Team (CERT)
- Security Operations Centre (SOC)
An effective IR team should be composed of the right professionals with the appropriate skillsets for the job. Your team should ideally have the following roles:
- Incident response managers
- Security analysts
- Threat researchers
- Stakeholders
- Third-party entities
Selecting Your Incident Response Team Members
When choosing incident response team members, include staff from different teams, such as:
- Technical team
Your technical team should be comprised of individuals who have technical expertise on your ecosystems and database, given that they are your core technical group.
- Team leader
This could be someone from your organisation’s executive level who can provide you with oversight for risk management. Your team leader is also in charge of coordinating all your activities and reporting to the company’s management team.
- Incident responders
Your incident responders are tasked to monitor incident response timelines and assess the scale of the active incident. They may also be responsible for corresponding with law enforcement.
- Communications staff
Communication staff members are in charge of internal and external communications, as well as liaising with media outlets, your partners, and other stakeholders.
- Analysts and researchers
This role requires a forensics expert who can either be a third-party contractor or an in-house employee. They’ll be supporting your technical team and incident responders. They’re also in charge of executing your incident response process.
- A third-party incident response expert
This individual is tasked with advising on cases that your IR team is handling.
- Legal team
They can be in-house or third-party attorneys who will represent your organisation should legal action be required.
When selecting members for your IR team, you should also consider the following factors to optimise functionality:
- Individual availability
- Team diversity
- Communication plan
- Employee morale
How to Create a Cybersecurity Incident Response Plan for Your Business
When building an incident response plan, go back to the expanded phases of incident response, which are as follows:
- Preparation
The first phase of incident response planning, preparation lays the groundwork for securing your company and your digital assets against security incidents. During this stage, you need to determine your IR team’s roles and responsibilities, outline your organisational policies on data protection, and identify any critical components within your network. You’ll also need to conduct risk assessment and determine which controls are necessary to manage security breaches.
In this phase, it’s crucial that you raise awareness about cybersecurity to all your employees and conduct trainings that will enable them to handle a crisis. Furthermore, you’ll need to test your existing capabilities in dealing with cyber attacks.
Other things you can do to prepare include:
- Creating an incident response workflow for all your stakeholders
- Form a comprehensive communications plan to inform internal and external stakeholders
- Store sensitive information in a secure database
- Determine tools and services that you might need before, during, and after a data breach
- Consider cloud migration to make the containment process easier
- Identification
At this stage, you need to determine whether or not your system has been breached or if you have compromised data. Here, you’re required to constantly monitor, detect, and report on any security event. When a threat has been identified, your team should gather and document any relevant information pertaining to the breach to help you determine its scope and potential consequences.
Aside from determining who discovered the breach, you should also evaluate how it can affect your operations, as well as its probable source.
- Containment
Once you’ve identified the scope of the breach, you can proceed with containment. It’s crucial plan out what you can do to mitigate the effects of the attack. Identify which systems you can temporarily take offline or which data can be deleted. This is important for isolating the affected network and prevent the threat from spreading to the rest of your ecosystem.
You should also check if you have any sensitive data that’s been compromised or stolen and identify what the potential risks are.
During containment, you can prepare and issue public statements, outlining the scope of the breach and its root causes, as well as the steps you’re taking to resolve the issue. You may also want to get in touch with law enforcement as the breach may also impact your third-party stakeholders.
- Eradication
The next phase is about resolving the data breach in real time. This involves checking for vulnerabilities in your system, disabling accounts that have been compromised, and eradicating all traces of malicious software. This can be tricky because you don’t want to further compromise any more valuable data.
- Recovery
During the recovery phase, your main focus is to restore your systems to their original state. You should complement this with measures such as vulnerability analysis and updating your incident response plan accordingly. If you have any clean backups, you can use them to restore your systems.
You can also implement added security measures such as employing automation and security artificial intelligence. It’s worth noting that combing through your system for any remnants of malicious software and eliminating them is important to preserve your reputation and integrity.
- Lessons Learned
The next step to addressing security breaches is to be proactive. As its name suggests, this phase emphasises the lessons that you’ve learned from the attack.
During this stage, you need to think about how you can prevent future attacks from happening. Meet with your incident response team and discuss what happened and the steps you took to resolve the breach. Identify any gaps or vulnerabilities in your systems that can potentially be a vector for a future attack.
To keep your IR plan effective, you need to constantly review and update it. Larger companies will do well to update their incident response plans more frequently, not just once a year.
Handling Crises with an Incident Response Plan
Your IR plan helps you avoid compromising your data privacy and mitigate security threats to your systems. It’s one of the most important tools that every organisation should have to protect your employees, network, data privacy, reputation, and integrity.
Start building your incident response plan and prepare your company for potential security breaches. Find out how GA Systems’ zero-trust strategy can help you manage threats and meet compliance requirements. Contact us to learn more about our services.
About the author
ProtectCyber is a leading Australian cyber security firm dedicated to safeguarding businesses and individuals from digital threats. Our expert team, with decades of combined experience in the field, provides insights and practical advice on staying secure in an increasingly connected world. Learn more about our mission and team on our
About Us page.