Why you need a cybersecurity incident response plan

David Horne March 3, 2020
Asian scrum master sitting on floor near gadgets and sticky notes

These days, software security risks are ubiquitous. News about large companies, government agencies, or hospitals experiencing security breaches has become common.

The consequences of these breaches include system downtime, data loss, and data theft, which can cost you money, expose you to legal liability, and damage your brand. According to a 2019 report commissioned by IBM, the average cost for a data breach for an American company is $8.19 million and typically involves more than 25,000 records.

A growing number of states — and many countries — have laws requiring organizations to notify government officials, customers, and other stakeholders when a potential data breach occurs.

Some of these laws, such as legislation recently enacted in California, also give consumers and others the right to sue. While organizations work to prevent security breaches, they often leave out a critical tool: the incident response plan.

What is a cybersecurity incident response plan?

An incident response plan is a documented series of actions to take in response to a cybersecurity incident. 

While it’s unlikely that any incident will go exactly according to your plan, having a plan ensures that in the heat of the moment you’ll remember critical steps and involve the right people.

A cybersecurity incident response plan is unique to your business and the specific risks it faces. When drafting the plan — and reviewing it annually — you should involve all of the organizational stakeholders who might be involved in or affected by a cybersecurity incident.

In addition to IT staff, that’s likely to include:

  • Senior management, who should ensure the plan fits with your overall mission, strategy, and goals. Senior leaders can also provide sufficient resources for the plan and make sure it’s correctly prioritized across the organization.
  • Legal counsel, to ensure the plan meets compliance and reporting requirements. Often, organizations face different regulations in several states.
  • Internet service providers and software vendors, who can be a critical part of your response team. You should understand who to contact and how to reach them quickly in case of a security breach.
  • Internal and external communications teams, who may need to respond to media inquiries or proactively communicate to various audiences about an incident.
  • Other cybersecurity teams, within your company, at affiliated organizations, and within other companies.

Some companies and industries may have additional representatives who should be involved in developing or reviewing a plan.

Key steps

The National Institute of Standards and Technology (NIST) publishes a guide for handling computer security incidents. This includes key components of any incident response team and specific suggestions on everything from handling press questions to structuring incident response teams.

The guide is designed for government agencies, but much of its content applies to businesses and nonprofit organizations as well. NIST recommends a five-phase approach:

  1. Preparation. This includes developing an incident response plan and taking ongoing steps to minimize the risk of a successful cybersecurity attack.
  2. Detection and analysis. Cyberattacks often happen silently, without warning. They may involve unobtrusive activities, such as an employee clicking on a phishing link or inserting a personal flash drive into a work laptop. Detecting and analyzing these attacks quickly requires having an up-to-date inventory of all your hardware and software assets, and understanding potential attack vectors.
  3. Contain, eradicate, recover. Having a plan to quickly contain an attack, eradicate the threat, and then recover is at the heart of an effective response. How this is done will vary depending on the nature of the threat, but having a plan and documenting the defensive actions you take is critical. You’ll probably also want to make sure you collect evidence for law enforcement and other investigators.
  4. Post-incident documentation. After a threat is over, treat the incident as a learning opportunity. Documenting and reviewing successful and unsuccessful incident responses is critical. Those reviews will sharpen and strengthen your responses to future attacks.
  5. Communication plan. Finally, you should have a plan to communicate with regulators, employees, and other stakeholders. Some of these communications may be legally mandated and you may face strict deadlines. Having a communications plan that meets your legal obligations and also protects your reputation is critical.

Next steps

If you don’t have one, now is the time to prepare an incident response plan. If you do have one that hasn’t been reviewed in the last year, it may be time to give it a thorough going-over. Cybersecurity risks are changing constantly, and chances are there have been changes to your organization as well.

Whether writing a plan from scratch or updating an existing plan, here are some next steps to get you started:

  1. Download the federal government’s NIST guide for handling computer security incidents.
  2. Make a list of the key decision-makers and subject matter experts in your company who should be involved in drafting and carrying out the plan.
  3. Write the plan based on your organization’s goals, needs, and requirements.
  4. Plan and carry out a drill to practice executing the plan. Make changes based on what worked well and what didn’t.
  5. Review the plan in a year, or sooner if circumstances warrant.

Bonus: One key factor in securing your website, apps and other software infrastructure is making sure you have a record of critical API keys, software licenses, account passwords and the like.