Incident Response Plan: How Are You Protecting Your Organization?
Cyberattacks are on the rise, yet many enterprises are still without a comprehensive incident response plan. On top of that, many organizations don’t plan out how to maintain business continuity in the event of an outage.
Regardless of industry, if your enterprise has data it can’t afford to lose, it’s time to put an incident response plan in place that covers how business systems will stay secure, how the company will respond to a breach and how it will continue to operate after a system failure.
Follow Through on System Updates
Many organizations think they are immune to cyberattacks and outages, and as such, they do not put the needed time and effort into their response plans. Policies that ensure software upgrades and security patches are done on an as-needed basis are an essential yet often overlooked part of any business continuity plan.
IT manager J.F. Rice recently explained in Computerworld that after years of effort within his department, he finally ensured security patches were being applied to systems on a regular basis. However, he ran into an unexpected glitch: Windows computers have to be rebooted for the patch installations to take effect, which requires a system to be out of service for a few minutes. So, while a system administrator had applied the patches, one of the business units wouldn’t allow their application to be down — even overnight — since it was running processes that would be affected by stopping the work.
This is the type of problem that organizations don’t consider but that can seriously affect business continuity.
Elements of an Incident Response Plan
Data backup is another essential piece of an incident response plan, but backup alone won’t suffice. Organizations need to develop a comprehensive incident response plan that defines their most critical information assets, as well as how to protect and recover data in the event of a disruption.
This is what Canadian-based manufacturer Dupray did — it created an incident response plan after hiring an engineer who “thought it was interesting how we did not have one in place,” said Anthony Jullien, IT director at Dupray.
Dupray’s plan was divided into two specific sections: physical incidents and cyberincidents. It detailed contingencies for physical incidents, such as theft, fire, hardware malfunctions and breakdowns, and included a contingency plan for corporate espionage. Cyberincidents, on the other hand, were associated with unauthorized access, such as brute-force entries, account breaches and key loggers.
“Most of the incident report legwork has to do with defining which data has been impacted or stolen,” Jullien noted.
Dupray’s incident report process is broken down into the four following steps:
- Lockdown: Take a step back, revoke user access and stop any problems or issues from developing further.
- Assessment: Analyze what happened, and find the breach or issue.
- Adjustments: Solve the breach, and get back the data.
- New Processes: IT issues accesses again and creates new procedures or rules that will ensure the problem doesn’t happen again.
In addition to internal actions, external coordination with the appropriate third parties is also crucial. This could mean notifying law enforcement agencies or involving digital forensics experts. It is also important to ensure that service agreements, such as with a cyberincident remediation firm, stay current.
“Having a plan is important for the simple fact that you cannot leave your data or technology to luck,” Jullien said. “You can’t expect your company to get lucky with these things. Luck runs out. If you’re caught with your pants down, you are in trouble.”