“An incident response plan is a set of procedures, tools, and resources that your organization can use to recognize, respond, and recover from a cybersecurity attack or data breach.”
This is Part I of a three-part series on incident response planning as part of your overall information security plan. Part II details seven steps on how to prepare and organize before you start to write your plan and Part III focuses on the key elements and outline of a typical incident response plan.
Here in Part I, we’ll discuss why an incident response plan is important.
Cyber incidents can have devastating financial costs. According to the Ponemon Institute and IBM’s 2019 Cost of a Data Breach Report, the estimated average cost of a data breach is $3.92 million (USD) per data breach, at a cost of about $150 (USD) per lost record. The news gets worse for those in the health care sector: the average breach cost jumps to $6.45 million USD per incident. And the reputational and soft costs of a breach can even threaten the viability of your operation.
An effective response process can act to significantly reduce these costs. In the event that you do suffer a breach, time will be of the essence. How much business do you lose every hour your site is down? If your servers are inaccessible? If you miss that filing deadline, that reporting deadline, that submission cut-off date? Having a tested plan and the “muscle memory” of what to in the face of a crisis could help mitigate the quantity of data lost, reduce the scope of damage done, and speed the recovery from the incident.
Incident response planning can also help strengthen and protect your company’s brand and reputation. Having a strong plan in place gives investors, clients, and personnel more confidence. And if a plan has to be invoked, minimizing the impact of a breach will also minimize the reputational damage created by an incident. Even if the worst happens, having a professional approach to dealing with the attack can make a big difference to clients or business partners who might otherwise be shaken by a high-profile or long, drawn-out outage. Communicating calmly, clearly, and (to the extent possible) openly about a breach reassures your customers much more than “radio silence” during a crisis.
Incident response plans can yield benefits even if they aren’t used in real life. Many clients find that developing and testing their incident response plans can help create a feedback loop of improvements to their data security practices. Constructing breach scenarios and conducting tests may expose gaps in the cybersecurity infrastructure of your operation that can be addressed before a real incident arises. For example, recovery tests will help validate that your virtual server snapshots are working as expected, your backup tapes are readable and recoverable, and your contact and licensing information is up to date.
The benefits don’t stop there. Incident response planning and preparedness helps infuse a company with a culture of cybersecurity awareness. Just as “health and safety” should be everyone’s concern, whatever you can do to champion a sense of vigilance toward cybersecurity among your staff will help your cause in preventing a successful attack. Complimenting your awareness training, having personnel involved in the care and feeding of an incident response plan will make them more aware of the risks of their behaviours on a day to day basis, and may help them recognize potential or emerging threats. Plan testing has this effect as well.
Not sold yet? Consider compliance: many regulatory and compliance regimes insist that their members have incident and breach response plans documented and tested. PCI compliance, for example, can require companies that accept payment cards online to have a plan – and testing regime – in place. Most cyber insurance underwriting questionnaires will probe a prospective client’s preparedness for a breach, and may adjust premiums – or even decline coverage – on the basis of your responses. Most governmental bodies are required by law to have an incident response plan in place.
So why don’t all companies have a plan?
Indeed, according to the Ponemon Institute and IBM’s 2020 “Cyber Resilient Organization Report”, 74% of companies surveyed either apply plans inconsistently, on an ad hoc basis, or don’t even have a plan at all!
Since the benefits may not be tangible, it can be easy to procrastinate and work on other projects. As with business continuity planning, it can be difficult to generate enthusiasm on spending time developing a document and a process that you may never use. But this is short-sighted. As we’ve seen, the costs in the event of a breach can be staggering; the effects can be catastrophic, even ultimately fatal, to your enterprise.
The idea of a plan may seem too daunting for smaller organizations. But SMBs are just as susceptible to attack as larger ones and may even be at greater risk unless they are well-prepared. Smaller companies should at least have a basic plan that outlines roles, responsibilities, communication processes, and established, tested scripts and activities during the recognition, response, and recovery from an attack or breach. Bigger firms, or those with particularly sensitive data, likely need even more detailed, elaborate plans.
A lack of time, resources, and appropriate technical expertise can be a reality for companies, but it cannot be an excuse for inaction. If your organization does not have the wherewithal to develop a plan on its own, it’s important to get expert assistance. ISA Cybersecurity can help in a variety of ways, from assisting in the construction of your plan, to providing technical assistance in the event of a breach, right through to data forensics to identify what happened, who did it, and how to help strengthen defenses to prevent it from happening again. Contact us today to learn more… before a breach happens.