Do your plans for 2022 call for refreshing and improving your cybersecurity incident response plan (CSIRP)? If so, that means your organization actually has an incident response plan – congratulations! Surprisingly few organizations do.
As much talk as there is in cybersecurity circles about developing and optimizing incident response (IR) plans, it turns out most organizations don’t even have one yet. The 2020 “Cyber Resilient Organization” study, from IBM and the Ponemon Institute, revealed that only 26 percent of organizations are using an enterprise-wide CSIRP.
We all understand, of course, why this is the case. Recognizing the importance of a CSIRP to tackle potential cybersecurity incidents and improve response times does not make it any easier to actually create one. It’s a major undertaking that involves – or should involve – many groups across your organization. It’s a big rock to move, but really needs to be done. The CSIRP is a critical asset for your security team.
In my experience, though, even organizations that DO have a CSIRP are concerned it won’t help them as much as they’d like during actual or potential incidents or a data breach. The most common thing I hear from our customers is, “We have a plan, but we’re not happy with it.” This is backed up by statistics from a recent survey of more than 500 cybersecurity professionals conducted by Wakefield Research showing that 92 percent of security leaders aren’t completely confident that their organization can identify the root cause of a cyber attack.
If you can relate to that, don’t panic. Here are my top four recommendations to help you improve your incident response plan if you have one. And if you don’t? You can still apply these tips when you go to create a plan.
Cybersecurity incidents and data breaches touch all areas of your organization. Does your plan include detailed processes and procedures (and current contact information) for employees and vendors outside your security incident response team members? Would your plan be stronger if you include representatives from human resources, communications, the risk and compliance team (if it sits outside security) or others?
Take every opportunity to engage stakeholders – even board members, possibly – before an incident occurs. Your plan – including your communications plan – needs regular reviews and inputs with a wider audience, not just your immediate coworkers.
One of the other things to consider including in an updated plan are processes and contacts related to managing potential or actual security incidents involving your cloud applications and infrastructure. Be sure to spell this out in the plan.
Another important aspect to cover in your IR plan is cloud applications and infrastructure. If your agency is using cloud-based services like Amazon Web Services (AWS), Microsoft Office 365, Azure and others, they should all be included. If you’re not thinking about the implications of unprotected S3 buckets and misconfigured accounts that could leave data open to anyone, think again.
Know Your Cyber Insurance Policy
These days, more and more organizations have a cybersecurity insurance policy, but most CSIRPs don’t even mention it. Your CSIRP needs to contain pertinent information regarding triggers, contacts and claims process requirements. Everyone on the team should be aware of what’s included in the policy and who the primary contact is in your organization for initiating a claim.
While you’re at it, add a reference list for all your third-party contractors that may be called upon in an incident, along with details of their roles and responsibilities in case of a security event or security breach. According to Wakefield Research’s survey, 76 percent of organizations currently use a third-party service provider for at least some incident response-related function.
Understand Roles and Responsibilities
As I touched on earlier, your plan should clearly articulate roles and responsibilities. So many organizations shy away from making assignments in advance. The plan should define roles, provide assignment guidance based on incident severity and scale and designate backups. Given how often most people change jobs and roles, you should review this at least annually.
One of the biggest mistakes I see in my experience is security teams working in silos and not looping in the rest of their colleagues who can share knowledge and drive buy-in for the plan in other groups. That might include your CIO, CISO, or leadership throughout the organization with no direct IT ownership. And if you do include other folks, make sure they know about the plan – see my next point below.
Exercise Your Plan
Exercise your plan. Let me reiterate that point – exercise your plan. Did I mention you should take every opportunity to engage stakeholders? Of course I did. This is a no-brainer. I don’t care if you stick with tabletop exercises or conduct red/blue team drills, there is no negative outcome from exercising – it’s all good.
Exercises raise awareness of threats and new trends. They also allow teams to work on response plan improvements in a safe, risk-free environment. This is the best method to train people on their roles and responsibilities.
Most cybersecurity incident response plans are a work in progress – and that’s to be expected. In a real-world event, your team will operate more confidently and efficiently if:
- They understand the broader perspective of stakeholders
- They know how to utilize your third-party resources
- They clearly understand roles and responsibilities
- They have exercised their plans
So dust off that plan, take it out into the sunlight and give it a good look. By taking steps now to improve your CSIRP, you’ll be much better prepared to face whatever threats come your way, whenever they hit.