A proactive approach to IT security can save your organization from disaster.

Cybercriminals rely on creating chaos. A security incident response plan is the best way to reduce the potential impact of a cyberattack on your business’s reputation and bottom line.

If your organization has a response plan for common cyberattacks, such as a malware attack, then a decisive and timely defense can be enacted. We understand that creating a security incident response plan seems overwhelming, but it doesn’t need to be.

What is a Security Incident Response Plan?

A security incident response plan is a set of instructions that your IT department can follow when an IT security incident occurs. Your IT department should have created response plans for predictable security scenarios before you need to use them. For example, if your organization is experiencing a ransomware attack your IT department should be able to find and refer to a ransomware response plan document as soon as they become aware of the attack.

Every second you spend under attack is money down the drain. By having a security incident response plan ready your IT department can shut down a cyberattack with minimal downtime and disruption to your business operations.

What does a Security Incident Response Plan involve?

An effective security incident response plan needs to have the following elements:

  • Define what type of incident the plan is for
  • Call out the signs or events that will trigger the plan
  • Designate the person or response team that will own the plan
  • Give a high-level overview of how the plan will be carried out

That’s it! A security incident response plan can be a simple two-page document and still effectively cover everything it needs to. Unfortunately 77% of organizations don’t have security incident response plans in-place (Source: IBM). Your IT department should establish a security incident plan for your business and educate your staff regarding their roles and responsibilities in the event of an attack. If you have a plan and your employees are comfortable with playing their part, your organization will have the power to stop the bad guys in their tracks before they can cause any more damage.

How to Create a Security Incident Response Plan

Below is the process we use to create our security incident response plans. Your plan should explain what needs to happen at each of the five steps outlined in the process.

IT Security Incident Response Plan

Here is some guidance on what each step should cover:

Detect

  • How a potential incident can be recognized or detected ​​
  • Tools, processes and procedures in place for the individuals first recognizing the potential incident to notify the response team

Validate

  • Key attributes of the event that the response team can check to qualify if it’s really an incident
  • How to handle false positives / non-events raised to the response team, consider adjusting Detection tools or processes
  • For incidents, how to qualify potential operational, organizational, or financial severity
  • Determination of the number of people and audiences (internal, external) affected to qualify scale

Damage Control

  • Whom to notify when there’s an active incident and how
  • Set expectations and ownership for updates
  • Approved, escalating courses of action to stop further damage, preserve incident details, determine the perimeter, re-establish secure operations
  • Summarized inventory of critical systems and potential control points
  • Expectations for confirming the incident has been controlled and the organization is ready to proceed to Recovery

Recovery

  • Prioritized business operations to resume
  • Communication channels and setting expectations for impacted audiences (internal, external)
  • Escalating courses of recovery to resume operations (optionally, prioritizing either least time to recovery, or least work-loss recovery)

Refinement

  • Evaluate plan effectiveness, lessons learned; implement appropriate improvements to prevention and protection

Creating and typing out a security incident response plan is great, but it is useless if no one knows about it. The entire plan is reliant on the first step, detect. If your people haven’t been educated on what signs they need to look out for, then they will not notify your response team when an incident does occur. If the response team is not notified, then the plan won’t be enacted and your organization will be at the mercy of the attacker.

Integrating employee IT security awareness into the company culture is something many organizations struggle do successfully. If your organization is unsure how to educate and train employees on IT security best-practices and trends, then check out our webinar The Human Element of IT Security: Training Your Employees to Defend Your Business.