A cyber incident response plan is a key element of developing and maintaining a strong cybersecurity stance. It’s one tier of a layered approach that includes a smart combination of these elements:
- a positive cybersecurity culture
- the right proactive and reactive tools
- knowing what to do in case of an attack.
Small businesses are not immune from the risk of a cyberattack. In fact, many owners are just as concerned about a cyberattack as they are about a supply chain disruption. By operating with an “assume breach” mentality, you can prepare for “not if, but when” a cyberattack occurs.
Why a Cyber Incident Response Plan Is Important
You probably have plans in place to continue business operations in the event of unexpected circumstances like extreme weather, power outages, and even illness. Cyber incident response is a key piece of this continuity strategy.
Think of it this way – knowing how to respond to an attack is equally as important as having the tools in place to help prevent one. Planning provides the guide to help your team detect, respond to and recover from a cybersecurity incident.
When the event happens, your team will need to respond quickly to contain the damage and restore services. The time you spend up front will put you in a strong position to recover more successfully. This isn’t a time to make it up as you go.
The plan helps protect more than the technical aspects of your IT infrastructure and data. It helps maintain compliance with industry regulations and cyber liability insurance requirements, and will also minimize financial loss, downtime, and reputational damage after an event. Your investment in planning for recovery could make or break the future of your company.
Take a Best-Practice Approach
A good place to start is with the NIST Incident Response Framework. The NIST framework is one of the most widely accepted tools for cybersecurity planning and response. While the framework is currently in revision, it can be broadly summarized into four main areas:
Preparation and Planning
Assemble a team (consider key members responsible for IT, legal, HR, operations, communications) who can identify business-critical information and systems, classify incident types based on their potential business impact, and help create the plan. This will be the first-response team when an event occurs.
As a starting point, identify your main security risks. Map out how your company would respond to different types of threats. For example, the response to a network-wide data breach is different than the response to an email click.
Detection and Analysis
Continually monitor your entire infrastructure to detect and identify threats as quickly as possible. Implement processes to address specifically targeted attacks, such as ransomware or how to respond when a staff person’s email is compromised and starts sending spam.
Containment, Eradication and Recovery
Depending on the event, your plan will guide the IT team in how to isolate and disable the threat and restore systems.
As part of your planning, create action steps including how you’ll stay in touch with your staff, customers and other stakeholders while the IT team is hard at work on the technical side. You’ll likely need help from your attorneys, communications team, insurance providers, and possibly law enforcement.
Post-Incident Activities
Evaluate the strengths and weaknesses of your team’s response. Bolster any technology gaps or staff training. Address any potential negative impacts of the event on your staff and customers. Revisit and update your plan regularly to keep it relevant and ensure its effectiveness.
Tips to Get Started on a Cyber Incident Response Plan
A simple cyber incident response plan is better than no plan, so don’t wait. Start where you are today. Over time, your plan may become more detailed depending on how your IT environment changes or as new threats develop. Here’s where to begin:
- Make incident planning a priority and establish an incident response team. Identify a planning facilitator and key members from various departments to begin the planning process.
- Identify threats and vulnerabilities to your organization. Prioritize these and decide how you would respond if the most-likely events occur.
- Develop response procedures. Create a playbook with clear instructions and areas of responsibility for each member of the incident response team.
- Review the plan annually. Technology tools and circumstances change. Make sure your plan is current.
Our Thoughts
As a managed IT services provider, CRU Solutions is acutely aware of the risks to our clients and our own business from cyber threats. Over the years, we’ve worked with clients who thought it could never happen to them. When it did, they were grateful to have a team with the tools and skills to help them recover successfully.
While news reports often focus on the technology behind cyberattacks, don’t underestimate the emotional impacts. In the first hours and days, there will be stress created by the overall disruption to your business, mental demands of crucial decision-making, and exhaustion from long hours.
Even if the initial recovery goes smoothly, the longer-term effects of communicating with your customers and working with insurance companies, attorneys and regulators can take a toll. Still, your preparation will put you in an excellent position to return to “business as usual” as soon as possible.
Does this seem like overkill for a small business? When the attack happens, your planning will pay off. Work with your IT team or an IT provider who has the experience, tools, and knowledge to benefit your business. That confidence should help you sleep better at night.
To learn how CRU can help address the cybersecurity needs of your business, contact us.