The inevitable truth in cybersecurity—one that we as an industry are only just coming to terms with—is that it is not possible to prevent every hack or attack. Hackers are innovating just as fast as vendors and even the best solution may not be enough to secure your website or database. Most enterprises will at one point or another have to rely on their human IT departments and employees to see them through a digital security event.
When that time comes, having an incident response plan (IRP)—a written set of instructions for recognizing, containing, removing, and recovering from a security event with minimal interruption of web service—will be vital to keeping your enterprise afloat.
What should your IRP include? How should you establish it? Here’s where to start.
Preparation is Key to IRP Success
An IRP is not something that can be improvised the day of an attack. That’s a fast way to end up paying out billions in fines and shuttering your doors.
Instead, your IRP must be established well in advance. You should communicate with your IT and cybersecurity departments to determine what will be the most valuable targets for hackers and develop likely scenarios in preparation.The best IRPs are updated frequently in response to changes on the cybersecurity ground and threat permutations with a solid core outline that is clear, recognizable, and executable.
A significant part of this core outline are the chains of communication and command to follow in the event of a digital security event. While perhaps not every employee needs to know every aspect of your IRP, your IT department should know them on instinct; they should know what roles they will serve and who to defer to during the crisis. Your employees should be trained to recognize the signs of a potential security event and the best practices in communicating their observations.
Incidentally, IRPs shouldn’t be isolate communication to the IT department. Depending on your enterprise you may want to establish security channels with your internal PR, legal, and leadership departments. Externally, your IRP may include web forensics organizations, insurance companies, and governmental compliance organizations; these channels will help mitigate the financial and reputational damage that can result from a digital security event, as well as help your enterprise stay in security regulatory compliance. Make sure your employees and IT professionals know when to reach out to internal and external actors in the case of an emergency.
Testing, Testing, Testing
The oft-neglected truth about plans is that they are virtually useless if people don’t know them. An IRP that never leaves the IT office will not be enough to prepare your organization for a digital security event; in fact, without proper training, security events might occur unnoticed until far too late.
Running drills and exercises are crucial for educating your employees in IRP communication and action policies as well as how to recognize a potential threat. Employees should know who to contact if they have accidentally clicked a malicious link and how best to reach them. Additionally, drilling your employees will be a great way to ensure they have absorbed the necessary knowledge to contain a security event. Tabletop exercises are more hands-on and involving than a lecture or a powerpoint, ensuring less opportunities for wandering attentions.
The other truth about plans, especially plans like this, is that they never survive contact with the enemy. Testing your IRP in drills can expose weaknesses within it before it is called upon to handle a real threat. You can see where communication breaks down, where command doesn’t quite work, or what threats are more likely to go unnoticed. This gives you the knowledge and time needed to patch the IRP and make it the best version of itself.
Most importantly, make IRP testing a regular occurance, not just a one time affair. This will make sure employees, IT professionals, and other involved parties are constantly reminded of what to do when a real security event occurs, decreasing panic among the rank-and-file when the worst does happen.
Latest posts by Ben Canner (see all)
- Thinking about Long-Term Endpoint Security (During and Beyond COVID) - August 6, 2020
- Is There An Optimal Endpoint Security Approach? - August 5, 2020
- Key Findings in the 2020 Cost of a Data Breach Report - July 31, 2020