How to build an IR plan
One of our in-house specialists gives three simple tips on how to start laying the groundwork for cyber event recovery
Chances that your business could suffer a cyber incident have never been higher. In fact, Symantec reported that web attacks increased 56% in 2018, and that trend is likely to continue.*
A big part of what helps keep costs under control when crisis strikes is having an effective incident response plan in place, which formally details the assets that need to be protected and who should be involved at each stage should these things come under threat. Not only can this minimise the financial impact, but crucially, it can also help protect reputations and strengthen defences against future incidents.
Luckily, building an incident response plan doesn’t have to be difficult. To help keep the bad guys from getting the best of you, here are three simple things you can do to lay the groundwork for your plan:
Determine what you have and what you need to protect
What hardware do you have? What software do you use? What kinds of data do you hold? Which things are the most critical to your business operating smoothly?
Ask these questions to start identifying your most business-critical digital assets as well as where your unique weaknesses lie, such as a high reliance on certain systems, frequent wire transfers, or a lack of employee cyber awareness. Once these have been identified, senior management should be better equipped to make appropriate judgements on cyber security spending and training.
Be realistic about the business impact of a cyber incident
According to the National Institute of Standards and Technology (NIST), business impact can be thought of in several different ways. For a cyber event, we suggest looking at the following:
Functional impact – This refers to the loss of present business functionality as well as the future impact on the business if the incident is not contained. Consider what would happen if you lost one, several, or all of your IT systems for a day, a week, or much longer. Do you have alternative, offline ways of conducting business? If so, how much longer would those processes take?
Information impact – Cyber incidents can affect the confidentiality, integrity and availability of your data, which can have a regulatory impact due to reporting requirements – for example, the GDPR in the EU or HIPPA in the United States.
Recoverability from the incident – The size and type of any cyber event you experience will impact the resources and time required to recover from the incident. By having recovery plans in place, such as off-site backups, you will be in a much better position. We recommend mapping out how you would recover from a ransomware attack, business e-mail compromise event, wire transfer fraud, and data breach.
Create a defined communication plan
To successfully deal with a cyber incident, a communication plan is key.
Firstly, consider who you need to speak to in the event of a cyber incident and in what order. Consider your cyber insurance provider, law enforcement, regulators, external clients or stakeholders, employees, and the media. Make a list of names and phone numbers. For all types of events, we suggest you contact your cyber insurance provider first, as a good incident response team will understand the nuances of crisis communications.
Secondly, ask yourself what statements can you prepare in advance. Preparing coherent statements with stakeholders in advance can save valuable time if crisis strikes. Do this for a full range of incident types.
If you consider the above three incident response suggestions, you’ll have already laid a substantial amount of groundwork towards your plan. Get your thoughts down on paper and please remember to save this plan separately to your company systems, which you may not be able to access during a live incident.
To make planning even easier, all of CFC’s cyber policyholders can access an incident response template for free as part of our risk management package. Read more about this and other risk management tools here.
* Symantec, Internet Security Threat Report 2019