Seeing a business in your industry being impacted by a security incident can be worrying and stressful. Recent events, like the cyber-attacks on major London hospitals causing critical incidents and operation cancellations, or Ticketmaster’s data breach by the ShinyHunters group demanding a £400,000 ransom, highlight the real and present dangers businesses face today. But what if it was your business? How would you respond?
In our extensive experience with security engagements, we at norm. have found that Incident Response (IR) plans are rarely documented. This lack of preparation can lead to significant operational and investigative downtime, hampering an organisation’s ability to respond, contain, and eradicate cyber threats. The result? Unnecessary financial and reputational damage.
Why You Need an Incident Response Plan
Speed and efficiency are critical when dealing with a cyber incident. Knowing who to call and what steps to take will save time, ensure a proportionate response, and limit damage. A written and tested IR plan allows organisations to not only have a heightened awareness of the threat landscape but also to be concise and pragmatic in their response.
Think of an IR plan as a fire drill. With proper planning and practice, staff will know their roles and what is expected of them when the alarm sounds.
Essential Components of an Incident Response Plan
So, what should an Incident Response plan include? Based on our experience, here are the key elements:
- Responsibilities: Clearly define the responsibilities of teams and individuals. Identify who undertakes specific actions in the plan and what is expected of each person when certain events occur.
- Incident Phases: Outline a high-level pathway of major incident phases. Map both technical and executive actions to planned response actions.
- Communication Management: Develop a strategy to manage communications with your staff and the wider world.
- Risk Assessments: Conduct risk assessments to guide incident categorisation for a prioritised response.
- BC/DR Plan Links: Include links to your Business Continuity/Disaster Recovery (BC/DR) plan.
While no plan can cover every possible scenario, having a solid foundation ensures a consistent and effective response to security incidents. This preparation can save time, money, resources, and enhance your overall readiness.
norm.’s Role in Your Preparedness Journey
At norm., we offer a series of executive-level Incident Response readiness services designed to plan, develop, and test your business against security incident “what-if” scenarios. Our goal is to leave you confident and prepared for the real thing.
The military saying goes, “No plan survives first contact with the enemy,” and this holds true for incident response as well. Our experts tailor security incident tabletop and simulation exercises specifically to your environment. We inject threat actor data gathered from real-world incident engagements to bring a high level of realism and immersion.
Preparing for what might not happen is crucial. And with norm., you can be sure you’re ready for anything.
Stay safe, stay prepared, and let norm. be your guide in building and documenting a robust Incident Response plan.
Written by Ryan O’Leary
Ryan O’Leary is an Incident Response & Threat Hunting analyst who brings his expertise to norm.‘s Incident Response function, providing detailed analysis and forensic investigations helping our clients get back on their feet following a breach. Ryan brings his experience to the role from previously working within norm.‘s SOC.