Make a cybersecurity plan. And then FOLLOW the plan. Without a plan and vigilant follow-through, very few security measures will be effective. For most businesses, the probability of a cybersecurity incident, attack, or breach is not a matter of if it will happen, but we have to ask when it will happen. Since 73% of organizations have suffered at least one recent ransomware attack, we cannot assume that any company is immune. An Incident Response Plan is key to a healthy cybersecurity strategy.
As students head back to school this month, we’re heading back to the cybersecurity basics and reviewing some best practices for a secure network. The first step is to develop your people and security culture (part one of our Back to Basics series), and now it's time for a plan.
Develop an Incident Response Plan
A written Incident Response Plan (IRP) is key to a good cybersecurity strategy. Consider what should happen before, during, and after an incident occurs. Ask and answer these questions in your written plan:
What should happen NOW to prepare for a potential future incident?
If and when an incident occurs, what are the steps we should take to mitigate the risk or loss?
Who is in charge of each of the necessary response/mitigation steps? Who will make sure they complete those steps?
After the incident has been resolved or the mitigation is complete, who should review the incident and when?
In the event of an incident or crisis situation, each team member should already know their own role and responsibilities in the IRP. This will save enormous amounts of time and energy, and usually it saves money and human hours too.
Review the IRP
The IRP and your overall cybersecurity strategy should be reviewed by all key stakeholders at three key points in time – when it is created, on a quarterly basis to update the information, and after each time the plan is used for an incident response.
Initial Review: you need buy-in from every team member who plays a role in the IRP. Here again we see the importance of an established culture of security (see our first Back to Basics blog). When employees are committed to the company mission, are trained in their own roles in security, and take ownership of their roles, incident response will go much smoother.
As you create the IRP, ask key managers and stakeholders to review it and to contribute to the plan. Include entry-level employees in this discussion as well – those involved in the daily work of the business may see additional risks or needs that managers do not.
Quarterly reviews: it's important for key stakeholders to review the plan at a regular interval, to ensure that the information in it remains current.
After an incident: conduct a team meeting to review what happened (without blaming) regarding people, processes, and technologies. Discuss how the IRP worked, and consider process changes that may be needed. This should be a constructive meeting.
Practice the IRP with Tabletop Exercises
Practice the plan. Be sure that each team member has been informed of their role in the IRP, and then sit down with the team for simulated attack discussions (tabletop exercises). Present a scenario, and discuss the steps that should be taken and who is responsible for each step. Preparing for a variety of scenarios can be extremely helpful for the team in real-world situations.
A cybersecurity strategy and an IRP is no help if no one in the organization understands it or can use it. Be sure the roles and plans are very clear, and practice your Incident Response Plan.
Keep working on this! A good cybersecurity strategy takes time and effort. We know you can do it, and you will never be sorry that you invested time in this.
Stay tuned for more of the Back to Basics series. Using CISA’s Action Plan for Small Business, we’re offering the latest in cybersecurity best practices.
We at StandardUser Cybersecurity are on a mission to share cybersecurity and cyber safety education with everyone, to make our world a better place. Are you with us? How can we help? Let us know today. Whatever your cybersecurity challenge, we can help you keep your business running. We are a defensive and offensive cybersecurity company, using over 30 years of experience with active commercial and government work and proven security methodologies. We also educate teams and professionals who want to build on their skills. Occasionally we communicate with cybersecurity memes. We set the standard for cybersecurity excellence.