In any crisis, having a plan in place that addresses the ‘who, what, when, where, and why’ is essential – particularly in the event of a security breach..
If your business was to fall victim to a cyber-attack, the way in which you respond, and how fast, can make a huge difference in ensuring there is as little disruption to services, and damage to business reputation, assets, and client information, as possible.
For many businesses, the idea of creating an incident response plan can seem like somewhat of a daunting task but according to Barry Brailey, Principal VSO at Aura Information Security, getting a plan in place might not be as difficult as you think. Below he provides an insider take on what the process involves and what your business should expect to get out of it.
1. Cyber Readiness Workshop
The first thing your Virtual Security Officer (VSO) will do is set up a time for a workshop. The key objective of this session is to assess your existing readiness and response capability within your business; and assist you in identifying who needs to be involved in incident response and what their role will be.
Workshop attendees should include your CEO, your CISO, any managers of teams that may be involved in a potential response (such as your customer service team, as they’ll be the on the frontline liaising with customers), your head of communications; and of course, representatives from your IT department.
To get the most out of a cyber incident readiness workshop, it’s important for your VSO to facilitate the discussions; and ask the questions. They bring with them valuable experience, as well as an objective point of view.
What should the workshop cover?
Key questions your VSO might cover off during the workshop include:
2. Playbook Development
Once your workshop is complete, your VSO will then start planning what your incident response plan will look like. At this stage, businesses should also consider creating separate ‘playbooks’, or cyber incident response guides. These playbooks will detail proposed scenarios (likely incidents) and should clearly state which division or individuals form key components of the response. There are two types of playbooks:
General threat playbooks: Designed to address common types of threats – for example ransomware and DDoS attacks – and clearly outline who is responsible for what action, how it should be carried out and when.
‘Worst case scenario’ playbooks: Having a worst case scenario playbook is important because unless you have identified what a worst case scenario looks like, you won’t have any idea when it is playing out in front of you. This playbook should be very detailed, with proposed scripts, media statements, customer advisories and more.
3. Simulation Exercises
The only way to truly test whether your incident response plan and any playbooks you have work is to test them. By running table top simulation exercise, your business can check whether there are any gaps in the plan and that everyone knows what they should be doing; and ultimately, assess how quickly your business is able to respond in the event of a cyber-attack.
Things you might also like to test at this point include:
4. Ongoing Review.
Due to the ever-evolving nature of business, and cyber-attacks, it’s important to ensure that carrying out regular reviews and testing of incident response becomes part of your business’ security policy. Depending on the nature of your business, your VSO can advise which timeframes you should work to – although the general advice is that it should be reviewed on an annual basis.