SOAR Platform / Blog / Incident Response Plans: What Can You do to Enhance Them?

Incident Response Plans: What Can You do to Enhance Them?


incident response plans

If you really think about it, incident response (IR) plans are just old books on a shelf. These written guides, which show how firms should detect, respond, and limit the effects of a security incident, should be highly valued. However, they’re usually left gathering dust on the shelf. Many plans go untried and untested for years and sometimes are out-dated. As a result, they are unfit to help at the time of a data breach.

Cybersecurity experts say that an IR plan today should include a policy that defines what an incident is, and have a step-by-step guide of how the business responds to an incident. Following the directions in place, organizations hope to lessen the blow from the attacks and reduce costs and recovery time that are usually associated with data breaches.

It is funny even with all these cyber incidents, some companies do not even have one in place. It’s concerning some organizations still do not take cybersecurity seriously and are not prepared to respond to a cyber breach.

So what are some factors that you could look out for to improve or to prepare your IR plan started? Let’s discuss.

Fixing the IR plans

Do you have an IR Plan in place? More often than not the plan does not fit the purpose. Some IR plans are so poorly designed that, in a case of an emergency, they would do no good. One point of failure is that some companies love to put one or two people in charge to guide the organization through the crisis. This might become very troubling in case both employees in charge are unavailable. Who will take responsibility of leading corporation through a crisis then? Have a plan, train according to the plan and make sure everyone knows their responsibilities in case of crisis and emergency.

How it should look

When building IR plans you need to have the purpose defined, the role of each team member, as well as the lifecycle of the plan itself. It is encouraged to hold exercises to practice the plans. A big part is having cross-department reps that are selected to take the lead on incidents in their departments to make sure there are multiple hands and coordinated actions responding to the incident. Many believe that there are six key phases to develop a successful IR plan:

1) Preparation

2) Identification

3) Containment

4) Eradication

5) Recovery

6) Lesson learned

Team and skills

A lot of professionals highlight the importance of team diversity that can execute on the plan. Experts say that communication can make or break any IR plan to ensure that team members know exactly what they are supposed to do and coordinate their actions. Plans rely on good intelligence and statistics being provided by the managers, who can turn it into business language for company leaders. Attackers will know right away if the plan has holes in it, so why give them a chance? Put a team that can execute their part so there are no cracks that people can slip; this would result in branding and corporate reputation damage.

Take that IR plan off the shelf, blow some dust off it, and make sure it’s still applicable. A robust plan is very much achievable, as long as you get the right processes in place, the right people on board and that you test it regularly to ensure it is fit for purpose. What are you waiting for?

For more information on Incident Response or the best in the SOAR (Security Orchestration and Automation Response), please visit our websites!