Home / Blog / Steps to Prepare an Effective Cyber Breach Incident Response Plan

Steps to Prepare an Effective Cyber Breach Incident Response Plan

According to major Cybersecurity Readiness reports, 62% of organizations acknowledged they were breached. The question of being prepared for cybersecurity breach is not about if, but when the company will face one. Given the “when not if” mindset, executive teams need to be proactive in their approach to mitigating cyber breaches.

A sophisticated incident response plan is the most important roadmap in the moment of crisis. An incident response plan is a guide that is tailor-made according to the company’s industry and fine-tuned through mock breach exercises. It is vital to ensure that an incident response plan does not become another document laying in the executive’s drawer. A well-rounded incident response program includes regular tabletop exercises synchronized with the plan.  

Through our experience, we have found that most multinationals have incident response plans without a well-developed program to train and do tabletop exercises according to the plan. Moreover, in many cases the documentation describing how to act in the event of a breach is out of date, inaccessible to key decision makers, generic, resulting in not effective response plan damaging the brand and breaking stakeholders’ trust.

A well-prepared incident response plan starts with defining all breach scenarios and their specific response steps. Secondly, it specifies response priorities and defines stakeholders, roles, and responsibilities. Finally, it includes templates of internal and external communications to ensure business continuity.

Below are 11 principles to guide companies in creating and implementing an incident response plan:

1. Identifying the internal incident response team

The crucial thing is finding which person in different departments play a key role in the plan and describing what they do.

2. Identifying the leader of the incident response team

It is important to identify the department and a person within it who will lead an incident response. The last thing an organization wants in the moment of crisis is to start identifying who is responsible for mitigating the damages.

3. Categorization

Developing a simple structure for classifying incidents by severity and urgency will provide a better understanding of C-suite involvement and level of engagement of the representative groups on the incident response team.

4. Response protocol

A framework should include (1) preparation, (2) identification, (3) assessment, (4) communication, (5) containment, (6) eradication, (7) recovery, (8) post-incident.

5. Third parties

The plan should include a list of key third parties that will assist the company, including external privacy counsel, forensics, crisis communications, etc.

6. Notify and assemble incident response team members to begin the investigation

After the breach occurs, it is important to notify and gather the team in a timely manner. Senior management should be included in the response team. Once the team is assembled, an internal investigation should commence into the security incident.  Depending on the potential severity of the incident, daily progress calls should be scheduled.  

7. Identify and fix the issue

An analysis should run that identifies the incident and focuses on developing and implementing an effective containment plan. After fixing the issue, the company can turn to identify the full nature and extent of the attack.

8. Gather the facts and let them drive the decision-making

All available forensic data (hardware, devices, database activity, etc.) should be collected and transferred to a safe location for subsequent analysis. After making a timeline around incidents and response, any additional investigation and response efforts should be based on the information gathered and the scope of the incident.

9. Determine any legal obligations and comply

An experienced lawyer well-versed in incident response can play an essential role in quickly and accurately determining the different privacy, security laws, and regulations that the breach implicates.

10. Communicate with the public and report to the incident response team

During the course of the investigation and response, there should be constant communication among incident response team members. It is critical to have an outside counsel involved in the communications plan to preserve any privileges attached to communications. A “holding statement” prepared for the executives might be useful in any interaction with the media.

11. Eliminate fragments of the security incident and recover business operations

After ensuring that the threat created by the security incident in eradicated, it is important to restore the company’s assets and return to normal business operations.

Development of a robust plan is challenging and time-consuming but to face a cybersecurity breach without any plan, might be deadly for a corporation. When a successful cyber attack occurs and the breach comes to light, the first question customers, shareholders, and regulators ask is, “What did the business do to be prepared to respond to a breach?”

To learn about incident response (IR) and how to prepare an IR plan click here to check our IR community and partner website.