A Guide To Building A Cyber Security Incident Response Plan For Your Business


It has long been established that everyone, every individual, every organization, and especially every business should invest in cybersecurity assets.

These begin with basic anti-virus software, hard-walling off key data not in use, network monitoring, having a strong outsourced or in-house IT security team, and so on.

More recently, cybersecurity insurance has become a recognized necessity for any for-profit entity with sensitive data connected to the web.

But despite all of this, one thing we see companies fail to establish at all phases of digital development is a cyber security incident response plan (CSIR).

Remember, no data security plan is 100% fail-safe.

Cybersecurity is, after all, an ongoing, ever-changing arms race between white and black hat hackers.

A CSIR is a critical part of any complete cyber incident recovery scheme.

Consider, as an analogy, automotive safety features.

You may have the best crumple zones, warning systems, intelligent AI wired in, backup cameras, and the most advanced airbag systems.

But if you don't know how to steer into a skid when a collision is about to happen, any crash can still be fatal.

Further, if you don't learn anything from an auto collision, then you're way behind the curve.

In the same way, a good CSIR will help you to "steer into the skid" when a cyber incident is detected.

It will help you to get through the most dangerous phases of such an attack, and it will guide you through the follow-through so that you can re-stabilize your organization and gain key knowledge.

This knowledge might help you to avoid future attacks altogether.

Now, let's look at the key components of a cyber incident response plan, which we will discuss in this brief guide.

Key components of a cyber incident response plan

  • Response Team: It's best to have a team of professionals dedicated to cybersecurity. Short of this, your most tech-savvy in-house people may be able to do the job.
  • Critical Assets Defined and Prioritized: Know what your most valuable and vulnerable data assets are. Know what their being compromised would cost and set your protection measures in order.
  • Response Procedures: Know not only what to do during a cyber incident, but why. Knowing why lets you act more resolutely, and it will help you to pivot as the situation develops.
  • A Test-Driven Plan: With your draft plan hammered out in black and white and your response tools and techniques ready to deploy, it's time to give your plan a trial run. A cybersecurity service provider can help you create a meaningful and representative simulation so that you can test your plan fully. Also, a good in-house or outsourced IT team may be able to do the same thing.
  • Regulatory Considerations: A major part of the need for all of the cybersecurity assets we've mentioned so far is regulatory compliance. If you handle the sensitive information of your customers, clients, or whomever you serve, you may be responsible for the security of their data anytime they make contact with your networks. Regulatory compliance is the only way to guard against potentially hefty fees, fines, and other penalties.
  • Post-Incident Review & Improvement: Finally, if you learn nothing from any cyber incident, then you're no safer afterward than you were before it. Getting the most out of your review is key to turning an unwanted attack into an information asset of potentially inestimable value.

Now, let's discuss these parts of your CSIR more fully.


Steps to Building a Cyber Security Incident Response Plan

Each of these digital incident response assets should be set up in the right way, with the right parts, actuated by people with the right expertise. Fortunately, all of these things have long been well-established.


Step 1: Establish a Response Team

Your first step should be to curate expertise and assign responsibility/authority.

Leadership/Executive Involvement

You need people with the knowledge, experience, and authorization to take critical action rapidly and at the right time.

Certain experts can be given overriding authority at key times, much as a doctor on a ship can exert authority that overrides that of the Captain.

Roles And Responsibilities Of A Cyber Incident Response Team

These professionals and roles can be defined according to expertly crafted incident-based scenarios.

They can also be permanent.

Defining, establishing, and implementing these roles can take professional IT security consultation.

How To Select And Train Members Of The Response Team

There are two ways these kinds of authority and expertise can be established.

You can outsource experts from established, trusted IT service providers or search for independent contractors.

In the early stages, working with a professional data security provider is often best.

The second way is to hire internally and train internally.

This can be more challenging, but it can also be much more economical.

It can also be more agile in the early stages.

Again, external guidance may be needed.


Step 2: Define and Prioritize Critical Assets

The second step is something that should always be in the back of your mind when it comes to data security.

Know the value of digital assets and the likelihood of their potential compromise, followed by setting security priorities.


Defining And Prioritizing Critical Assets

Your first step should be to know what digital assets would if compromised, mean the most significant damage to your organization.

It could be trade secrets, but in most cases, it's likely to be access to your customer's payment information.

The most valuable/vulnerable assets should be protected most and first.


How To Categorize Assets Based On Their Value And Criticality In Terms Of Cyber Risk

In many cases, the relative value of assets may be obvious.

The level of vulnerability of each may be less clear.

You might, for example, have your most valuable data stored in an external hard drive that's locked up in a safe.

In that case, the second most valuable data set you have may be a higher cybersecurity priority, if it's web-connected for longer amounts of time.

This is another area where professional consultation may be in order.


Step 3: Develop Response Procedures

Once you identify the value and vulnerability of key assets, the next step may be elusive.

Developing Response Procedures

The right response will depend on how the asset is connected, how it is accessed by a bad actor, the nature of the bad actor, the number of people potentially affected by the attack, and so on.

For example, if you receive an email claiming that critical data has been compromised, your first move should be to determine whether or not such a compromise is even possible.

More often, however, the response to any given incident will be made possible by setting up the appropriate response capabilities.

After all, a capability does not exist where the necessary tools are not in place.

Here, things like data backups, hard-wired quick disconnection points, advanced anti-malware software, and cybersecurity insurance are all good examples.

In other words, any response procedure will be based on security capabilities in the interest of, you having invested, integrated, and trained management, staff, and/or specialized teams.


Step 4: Communicate and Test-Drive the Plan

The importance of training your entire team and communicating and testing your plan cannot be overstated.

We need to know how to communicate the plan to employees and other stakeholders as well as conduct regular testing and training.

The latest developments in corporate culture given these interests promote the decentralization of expertise in cybersecurity response capability.

This means training employees at all levels so that your organization can execute a uniform and agile response to any attack regardless of its type, strength, or point of entry.

Fortunately, there are numerous ways to achieve this. You can;

  • Incorporate key points into daily meetings
  • Organize group training sessions
  • Institute regular online training and micro-certification
  • Disseminate educational literature
  • Bring in experts to teach, train, and test

Naturally, none of these are mutually exclusive and this list is far from exhaustive.

In the early phases of establishing a functional CSIR plan, it is advisable to consult with expert digital security analysts.

They can help you understand the relevant threats, invest in appropriate systems, and lead you to optimal training materials.

Keep in mind that any of these training modalities can be done remotely, allowing your team to absorb key information in their own time, and sometimes even in a way that is commensurate with their preferred learning styles.

Information technology and online learning have made this not only a possibility but often the preferred option.


Step 5: Regulatory Considerations

Any entity that performs financial transactions in the informational space is almost certainly required to take measures to protect the data security of those who participate in these exchanges with them.

This includes any merchant who buys or sells online.


State Data Breach Notification Requirements

According to IAPP.org:

Data breach notification laws vary from state to state.

Each law should be applied to every data exchange scenario to determine whether a notification requirement has been triggered.


Payment Card Industry Compliance

Further, the credit card and payment service provider industries work to protect their interests by excluding those who take unnecessary risks from their services.

This means that failure to comply with data breach regulations could cost you your ability to buy and sell, even if a law is not technically violated.

Violations, perceived violations, and their consequences can and often are the most costly aspect of a cyber attack.


Executing the Cyber Security Incident Response Plan

With your CSIR plan in place, you should be able to walk through the following steps with ease.

Contain The Incident

Stop the damage from progressing and wall off vulnerabilities.

Analyze The Incident

Examine the type, strength, and ingress point of the attack.

Understand the nature of the threat and learn from it.

Execute The Plan

Finally, with your team properly trained and authorized, your plan to mitigate losses should go into effect almost instantly.


Post-Incident Review & Improvement

Of course, no good CSIR plan can ever be complete without fulsome and actionable debriefing.

Understanding the nature of an incident is not only key to your betterment as an attack-resistant entity, but it is critical to your ability to develop expertise in this area and to contribute to the business community as a whole.

New Call-to-action



Read On