The key to a successful cyber security strategy is preparation. If you have a plan for how to manage data breaches and other disruptions, you can get to work on remediation immediately.
And what’s more, everyone in your organisation knows their roles. There’ll be no one wandering around unsure what to do as a crisis unfolds.
Instead, people will turn to management, who can relay instructions and get everybody on the same page, working towards a common goal.
This is essential not only to ensure calm prevails but also to mitigate the extent of the breach and the financial and reputational cost for your organisation.
Faster response means less damage
It takes 206 days on average to identify a breach and a further 73 days to contain it, according to Ponemon Institute’s 2019 Cost of a Data Breach Report.
During that time, organisations spend about €3.5 million on recovery. However, those costs decrease dramatically when organisations are able to respond within 200 days.
The report found that organisations spend about €3 million when they contain incidents within this time frame, compared to €4.14 million when it takes longer.
This 38% swing in costs could be the difference between a bad few months for your organisation and it going out of business.
So how can you ensure that you detect and contain breaches promptly? Let’s take a look.
How to create an incident plan
The best incident response plans draw on ISO 27001, the international standard for information security. Within this, ISO 27035 contains the principles and guidelines for incident management.
You can meet ISO 27001’s requirements by following this eight-step process:
1. Identify risks, vulnerabilities and threat exposure
To plan for disruptive incidents, you need to know the types of events that you’re likely to face.
Your first task should be to conduct a risk assessment that identifies the weak spots in your organisation and how they might be exploited.
Risk assessments also give you an idea of how significant each risk is – i.e. how much damage will it cause and how likely is it to occur.
This helps you determine risks that aren’t worth addressing, because planning for them is either more expensive than the damage they will cause or because the risk will probably never materialise.
2. Review cyber security controls
You should already have controls in place to mitigate the risk of security incidents, even if they’re basic things like antivirus software or acceptable use policies for employees.
Before you consider implementing new controls, it’s worth reviewing your current ones to see if they are up to date and working as intended.
If you’re happy with what you have, you should make sure it’s documented and cross it off your to-do list.
3. Conduct a business impact analysis
A BIA (business impact analysis) is similar to a risk assessment, but it gives you a closer look into the ways your organisation is affected by each threat.
The process helps you identify how your critical business areas will be affected in each of the scenarios outlined in your risk assessment.
One of your main objectives here is to determine the maximum length of time your systems can be down before the damage reaches an unacceptable level.
Knowing this gives you a clear marker of what’s considered a successful or unsuccessful response, which will guide your remediation strategy. If a control doesn’t help you meet the deadline for getting back online, then it’s not worth implementing.
4. Form the incident response team
This group of people are responsible for overseeing your incident response practices. They analyse data related to incidents, discuss their observations, coordinate activities and share important findings internally.
The size of the team will depend on the number of risks you identify and the resources at your disposal. However large the team, we recommend including at least one senior member of staff, such as a director, information security manager, facilities manager or IT manager.
Appointing a high-level employee ensures the team has the authority to make decisions that employees will follow.
5. Develop incident response plans
Now it the time to develop response plans based on the identified risks that you’ve decided are serious enough to address. Your plan should focus on the risks to your critical assets, asset owners and asset locations.
You should also implement a reporting process or communication plan to ensure that the incident response team and relevant stakeholders are informed of any incidents.
6. Test incident scenarios
The next step is to test your response plans to make sure they work and to iron out any errors.
Testing these steps at least biannually ensures that they are and remain effective, and enables the documented plan to be as detailed as possible. And no matter how familiar staff are with the plan, theory is no substitute for practical experience.
We suggest conducting tests twice a year, because your organisation and the risks you face are always evolving. It also helps employees get into the habit of incident response, which can help them stay calm in a stressful, real-life scenario.
7. Conduct incident response training
The testing process usually reveals that employees are the weakest link in the chain. That’s understandable, given that they’re often working against the clock in these scenarios.
To reduce this risk, you must teach your staff about the importance of effective security and how they can avoid making mistakes.
Employees with incident response duties should receive additional training in relation to their role, whether this concerns incident notification, reporting or classification, or scenario testing.
Those with business continuity duties should also receive appropriate training.
8. Establish a continual improvement framework
Like any framework, incident response processes must be regularly reviewed to take into account emerging threats and areas where the current framework isn’t working as intended.
As such, the steps outlined here should be repeated annually or whenever there are major changes to your organisation.
Experiencing a cyber security incident?
If you’re facing a disaster or worried about what will happen when an incident occurs, you should turn to IT Governance Europe.
Our experts help you take immediate action no matter what the situation. We can mitigate the damage if you’re in a crisis or optimise your existing resources and provide support where needed.
Following the incident, we aim to get you back to business, armed with the knowledge to manage your risks and improve your security posture.