Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

How to Build a Cybersecurity Incident Response Plan

Being hit by a cyberattack is going to be painful. But it can be less painful if you're prepared, and these best practices can help.

When it comes to corporate cyber incidents, there's no debating the facts: attacks are more sophisticated, frequent, widespread, and costly than ever. In 2015, cybercrime cost companies $3 trillion. By 2021, that number is expected to double. At that point, cybercrime will become the most profitable criminal enterprise in the world.

Smart business leaders understand a cyberattack isn't a possibility — it's an inevitability. And yet, even in a climate of awareness about the threats posed by cybercrime, businesses aren't doing enough to prepare for these incidents.

Having a well-protected corporate infrastructure with the requisite safeguards is vital —  and not just in technology but in the people and processes, too. What happens when attackers breach these defenses? How do companies handle an incident and its fallout? When every second counts, previous preparation increases the speed at which organizations can respond, avoiding hastily made decisions because the pros and cons already have been weighed. Preparation also cuts through the paralysis that can come with such an event.   

Mistakes to Avoid
Given the sheer volume of breaches that have hit enterprises of all sizes and industries, it's easy to find notable examples of less-than-stellar corporate responses. Case in point: Equifax. After the credit monitoring firm experienced the largest cyberattack to date, it wasn't the breach itself that drove headlines; it was the company's disorganized and problematic response, which began by directing potential victims to a bug-ridden site and continued with the company repeatedly tweeting out phishing links after the breach had occurred. 

Here are a few of Equifax's mistakes from which we can learn.

Too much time spent in denial. Once an incident is detected, every second counts. Yet too many enterprises fall into the denial trap, where they either overlook anomalous activity or downplay the magnitude of the activity once discovered. This state of denial almost always backfires by fracturing customer and employee trust — and losing precious time — as it did in Equifax's case.

Unstructured chain of command. Getting hacked can be a source of embarrassment for enterprises. But companies that project competence, organization, and control in the wake of an attack can positively affect its future. The blunders described above in Equifax's case pointed to a lack of structure within the enterprise.

Lack of foresight. Alongside an absence of a chain of command comes a lack of foresight, which can manifest in companies acting too hastily, overcorrecting, or implementing "fixes" that create new problems. No, you cannot predict the future or the decisions that will need to be made. But you can agree ahead of time on the process for making those decisions and who is going to make them. When you do this, you minimize the influence of emotion and personality differences that can derail a cyber response in an instant.

Incident Response Plan Best Practices
For enterprises, having a comprehensive and strategically designed cybersecurity incident response plan is the single most important step to mitigate the fallout of a malicious intrusion. These are the best practices for designing, testing, and implementing such a plan.

Secure participation from key stakeholders. A security breach affects many groups within an organization. As a result, cross-departmental support and buy-in is needed during the ideation and development phase. Human resource leaders, compliance officers, legal representatives, external vendors such as technology providers and public relations firms, and management liaisons all need a seat at the table.

Delineate roles. Once you have key stakeholders in the room, it's important to clearly layout their specific responsibilities in the event of a breach. Perhaps HR leaders are on point for internal communications when a breach happens, while the PR team handles external communications. At the same time, legal representatives should be ready for any regulatory implications of a breach, while IT experts should familiarize themselves with the back-end work they'll need to handle. Specifying these roles in advance of a breach prevents the kind of high-level confusion that ensued in the wake of the Equifax incidents.

Run tabletop exercises. As companies flesh out an incident response plan, the true litmus test is a breach simulation. The best way to conduct this exercise is with a third party, since that eliminates the possibility of bias in designing the mock attack. In terms of tabletop objectives, the goal should be to validate that your plan considers all actions and activities that need to occur during a breach. It can also validate whether each function understands their role and more importantly reveal how various personalities may affect the breach response.

Communicate effectively. When a cybersecurity incident occurs, chaos is inevitable with multiple workstreams, competing priorities, and the number of people involved. The investigation aspect is only one part to the response, competing with executive briefings, legal notification, HR, regulatory concerns, and public relations, to name a few. It is imperative for companies to understand how to communicate effectively amid the chaos. Companies should create a viable incident response plan that touches every part of the organization and then communicate the plan —  in a simple and digestible way —  to all employees.     

When it comes to cyberattacks on companies, there are two parts: the incident and the response. Companies often cannot always control the former, but they have significant control over the latter. By designing and implementing incident response plans that are cross-departmental, carefully designed, and endorsed by all key stakeholders, companies can strengthen public trust and brand reputation in a situation that could otherwise be ruinous.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Wayne Lee is a Senior Architect with West Monroe Partners, responsible for the firm's cybersecurity practice on the West Coast. He is a proven information security leader with nearly two decades of experience providing strategic and tactical cybersecurity expertise to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.