If (or perhaps when) your business becomes a victim of cybercrime, you can either panic and make a series of costly and potentially situation-worsening moves. Or, you can turn to a predetermined incident response plan (IRP).
Preparing an IRP
The most important aspect of an IRP is getting your employees involved. They need to be not only involved in the creation of an IRP, but they need to be continually reminded that the IRP exists. If possible, assemble a designated team who is available 24/7 to handle any type of security incident. Some companies run exercises to test the IRP, and some just hand out a booklet describing the IRP. Regardless of how you involve your employees, they MUST be involved.
Begin by reviewing what plans you currently have in place to determine where they can be improved. What are you currently doing to prevent an incident from occurring, and are the polices and procedures you rely on now adequate? Look at each of these areas:
Detection – If a cyberattack of any kind (phishing, malware, ransomware, etc) happened right now, how would you know it? Consider the chain of events and how an issue would get reported. Are the tools you’re using now sufficient?
Containment – Once again relying on an imaginary incident, what is your strategy for containing the event(s)? Part of an IRP is proactively considering how you can prevent further damage. Although it’s unpleasant, discuss the possible results of an uncontained situation.
Remediation and Recovery – Once contained, you’re going to want to know how the damage happened and who did it. And that’s only natural. Besides, you can use that information because this is also the point when the necessary changes and upgrades to your cybersecurity will become glaringly obvious. Make the changes and review them again. Build a set of chain-of-custody procedures to ensure these kinds of incidents will not reoccur.
Further Review – Don’t ever stop reviewing your IRP. Make it a quarterly event, if possible, or annual at the least. How will you know when you’ve succeeded? Because of the confidence. Your confidence in your employees, their confidence in the IRP and you, and your customer’s confidence in all of you.