Published in 2020, Statistia.com report that only 16% of UK businesses surveyed had any form of cyber security incident management process in place, what we commonly call an Incident Response Plan (IRP). This number is pulled down by only just over a third (38%) of medium businesses and a quarter of small businesses having any plan in place.
We have already looked at the Importance of an Incident Response Plan, now the question must be how do you keep it alive and ensure that there is an ongoing understanding of what threats look like within your organisation? To do this you need to be prepared to pull out your Incident Response Plan, dust it off and ensure it’s still relevant, understood and actionable. If something has changed in the business or roles cited within the IRP, then it could mean implementation is tougher in the midst of an attack, something no organisation facing such an issue wants to uncover right then.
The IRP is there to minimise damage, protect your data & systems, and to ensure your business recovers from any cyber security incident as quickly as possible – so it must be kept alive and relevant. Covering the various departments in the business to ensure they know how best to respond to attacks specific to their areas of weakness – the Incident Response Team needs to be broad and bring knowledge from across the business and varied ways of working.
Alongside this the Incident Response Plan needs to be broad enough to cover multiple scenarios; our experience shows that many elements of managing an incident still require decision making depending on the nature of the incident. Ensuring you have supporting runbooks in place for common scenarios will add context to the IRP and further improve your organisations’ ability to manage the associated risks of any cyber-attack.
In order to evaluate the effective implementation of your Incident Response Plan and identify areas for potential improvement, undertaking regular Incident Response Exercises should be something your Incident Response team have in place. By identifying likely incident scenarios and designing appropriate exercises to test your ability to manage these incidents, you are keeping not only the plan relevant but also the Incident Response Team gets to flex its muscles too.
There are two other ways of keeping the IRP alive and relevant. The first being to evolve it based on learnings from implementing it when attacks occur, the direct real situation experience will always be where the most powerful learning takes place. Second would be ensuring the Incident Response Team (and for that matter anyone within the organisation) are always looking at what’s happening within your industry regards cyber security and cyber-attacks. Knowing what’s going on around you could highlight potential weaknesses in your business, systems and processes.
Further to this it is important to ensure that you are constantly mitigating the potential for attacks to get through to your systems, one of the key ways is to have the right policies in place which we go into in more detail here.
Incident Response Planning is an ongoing and iterative process that must be kept alive for your business to remain resilient. This requires continuous reviews, testing and updates. Couple this with actioning post-incident learnings and rapidly adopting improvements in your Incident Response approach, you will be setting yourself and your teams up for success. It will always be a requirement to communicate these changes in the business and there is no better way than weaving this in to ongoing training.
And never forget that Incident Management should have a recovery and learning focus and not be about blame.