It might happen on a Friday afternoon, or maybe on the day before holiday. Many employees have clocked out early, so an intrusion goes unnoticed…until it’s too late. Suddenly the whole system begins shutting down.
Your next step? Panic.
A data breach or other cybersecurity incident can be a traumatic, shocking experience, even for a seasoned executive. To avoid freezing like a deer in the headlights, it’s critical to have a plan — specifically, what’s known as an Incident Response Plan. An Incident Response Plan, or IRP, gives companies an understanding of key security risks and provides a detailed process to follow in the event of a cyberattack. The best plans include input from multiple departments and stakeholders at a company.
“Everyone’s going to have a different viewpoint,” Christian Kelly, chief technology officer at Xantrion, explained during a recent webinar. “Getting those views in early and understanding them is vital to putting together a plan that’s going to stand up to a real-world event.”
What’s Driving the Demand for Incident Response Plans
So what are the chances of confronting a real-world event? The short answer: high and getting higher. The global cost of cybercrime exceeded $8 trillion in 2022 and is projected to reach nearly $24 trillion by 2027.
Here’s the good news: When facing a data breach, organizations with high levels of incident response planning saved nearly $1.5 million compared to organizations with little-to-no planning.
The ability to significantly limit damages caused by cyberattacks — and sleep better at night — is the obvious reason to develop an incident response plan for your business, but many leaders are also facing institutional pressure to adopt IRPs: Documented incident response plans are legally mandated in multiple regulated industries, while insurance companies are also increasingly requiring customers to have IRPs (or risk less favorable coverage terms if they don’t.)
In the US, IRPs also enable companies to more easily comply with various state data breach notification requirements. Under privacy laws, certain states require companies to report data breaches to consumers in 30 days or less. Under a well-structured IRP, reporting processes are already in place, ensuring companies don’t have to start from scratch to cobble together notifications.
Developing Your Incident Response Plan
Developing an effective incident response plan begins with assessing the risks facing your business. Identifying your company’s data and infrastructure vulnerabilities can help you plug gaps you didn’t know you had. Kelly recalled working with one company that had lost valuable time getting their systems back up and running after a cyberattack because they lacked cloud or off-site backups.
“The client did not have an incident response plan and a plan likely would have shone a light on the fact that they had so much on-premise hardware without enough redundancy,” Kelly said.
While a company’s in-house IT team plays a key role in developing an IRP, as noted earlier, planning should include representatives across departments who can clarify business priorities in the event of a cyberattack.
“Different departments are going to have different views about how critical an application or workflow is to the company,” Kelly explained. “If the group that’s trying to understand incident response is too small, you could really miss certain key systems.”
A human resources representative, for example, might point out the importance of ensuring a business can continue to make payroll in the event of a breach. “Internal stakeholders are going to have the most valuable information about really what should go in that plan and how it will actually interact in the real world,” Kelly said.
It’s also important to tap external experts for your IRP. Lawyers, insurance providers, public relations consultants, and, of course, IT experts like those at Xantrion can partner with you and take on defined roles within your IRP so that confronting and minimizing the damage of an incident becomes a group effort.
Testing and Updating Your Incident Response Plan
An IRP should be a living document, finetuned and updated regularly to assure its effectiveness. Testing through tabletop exercises – basically, simulated attacks – can help organizations determine if they’re truly prepared for various scenarios, from ransomware attacks to phishing. Here, external partners like IT experts and insurance providers can also offer helpful guidance.
“We are part of a lot of tabletop exercises with our clients. It’s good to understand that a tabletop exercise is really valuable if hard questions are asked and pokes holes in your current plan,” Kelly said. “It’s really good to bring voices in the room that would challenge the status quo.”
Even if an organization’s responses are airtight in the case of every simulation, IRPs still should be updated regularly to account for changes in the cybersecurity technology that your company is using, from logging to EDR. Not only can better tech prevent and contain cyberattacks, it’s also key to speeding forensic investigations when an incident does happen, helping insurance companies and incident response firms determine where or how an attack transpired.
“Technologies change. It’s very rare that year over year, the exact same technologies are in place,” Kelly said. “As you update your IRP, make sure that you understand new capabilities that you can bring in as it relates to recovery, backups, containment, detection — that those are the types of things that get into your plan.”
Xantrion relies on tested approaches to develop and implement incident response plans, not just for our clients, but for ourselves. Our IT experts will draw on their successful experiences to help you create a response plan that takes your organization’s individual risks and needs into account. Want to learn more? Watch our recent webinar with our partners Hoge Fenton and Restwell Technology, or contact us today to schedule a consultation.