Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
“Everyone has a plan,” said Mike Tyson, “until they get punched in the mouth.”
Cybersecurity incidents can feel like heavyweight blows. Victims are left scrabbling to identify the attack, get systems running again, reassure customers and weather legal and reputational blows.
It’s hard to act clearly when your head is spinning and your cyber strategy has fallen short. And that makes having a clear, actionable set of responses that can get you off the canvas and back in business all the more crucial. Here, we explore why incident response planning is vital, and how your organisation can do it well.
The impact of cybersecurity incidents is growing
With ransomware on the rise and cybercriminals exploiting remote workers with sophisticated phishing attacks, it’s no surprise to see cyberattacks on the rise. The Australian Cyber Security Centre (ACSC) noted a 13% increase in reported incidents in 2021. Yet organisations are still playing catch-up, with 76% saying they were hurt by their lack of cyber preparedness last year.
It gets worse: only a quarter of organisations around the world have a cyber incident response plan (CIRP). There are many reasons why you might put off making a plan. It can be hard to step out of the daily churn of threat management and patching, and getting sign-off to fund scenarios that might never happen isn’t always an easy sell. But by not developing a CIRP, you may just be holding out your chin for a knockout punch.
Building an incident response plan
An incident response plan gives IT and cybersecurity teams practical instructions on how to respond to major incidents. Effective plans set clear steps and responsibilities, so that panicking employees don’t step on each other's toes. They help you identify, triage and resolve a breach quicker, by listing business-specific threats and responses. Mapping out legal and PR strategies can help you manage regulatory and communications damage. A good plan will also mandate training to prevent incidents and set a template for incident reviews, helping ensure problems are not repeated.
You needn’t start from scratch. The ACSC and New Zealand’s National Cyber Security Centre (NCSC) both have guidelines and templates, and some states offer their own templates too. The US’s National Institute of Standards and Technology (NIST) also has useful guides.
Everything starts with good preparation
Plans should map out all stages of incident response, including preparation, detection, analysis, containment, response, recovery and review. Good preparation means:
considering key attack vectors and responses
putting measures in the context of industry and government frameworks
detailing roles, responsibilities and reporting lines, with out-of-hours contact details where appropriate
specifying roles which are likely to include a cyber incident manager, responders (responsible for hands-on investigation), communications officers and a legal advisor
ensuring these individuals are trained and aware, with drills to ensure readiness
building these details into a plan that is accessible, signed off and budgeted for
This preparation will form part of an ongoing cybersecurity strategy that manages your organisation’s risk. But no matter how well you guard your networks, cybercriminals will eventually break through.
Effective detection and analysis can limit the damage
Your incident response plan will not be able to detail every available threat, but should list key attack vectors relevant to your business or sector. The ACSC’s template, for example, breaks incidents into broad categories: ransomware, malware, denial of service, phishing, data breach and industrial control system compromise.
Your plan should also mandate priorities (if more than one incident is detected at once) and may include benchmarks to help you judge the severity of an attack. It will also indicate who should be notified – whether internal stakeholders and or reporting required by law.
Your response will balance containment and eradication
Once you’ve identified the source of the incident, there’s a tendency to act fast and ask questions later. But leaping in to wipe data or tackle malware (especially if you can’t remove all traces of it) may create more problems than it solves, and a clear set of steps should guide this process. Your incident plan should offer a template for discoveries that should be logged (which may be vital for compliance).
Weighing up containment, eradication and the further investigation of any threat actor will involve balancing the relative disruption and cost of various strategies and the state of your networks. Your plan will ensure the correct personnel are involved in decision-making and lay out standard operating procedures for different breach types so that no blind spots are left during containment.
Reviews can help you build a better cyber policy
It may be some time before the full scale of the event becomes clear, and recovery can take months for some incidents. Your plan should include a guide to getting networks and systems back online, and may suggest a phased recovery, in which you work from immediate issues towards general improvements in cyber resilience.
This is also an opportunity to review your incident response and cyber resilience. How did individual operating procedures stand up? Did staff find the plan easy to follow? Could additional training help make a repeat incident less likely, or your response more efficient? Collecting evidence to document the incident’s causes and your response is the best way to learn what you did right, and what can be improved. These reports may also help senior executives see cybersecurity – and requests for funding specific areas – in a different light.
Making a great incident response plan
As we’ve seen, a thorough incident response plan can help you pick yourself up after a cybersecurity incident, and improve your strategy for dealing with future breaches. If your policy is to be fit-for-purpose, drills, training and regular reviews are essential – even if you haven’t experienced any incidents. Your organisation is always changing, and so are the threats it faces. With a great plan and ongoing vigilance, you’ve a chance of facing down any foe.