Cyber-attacks and data breaches will happen. This is the startling reality every business must accept. It is no longer possible to entirely prevent them, due to the sheer number and sophistication of modern threats. But that doesn’t mean you’re helpless.
Rather than putting all their eggs in one basket, many organisations are turning their efforts towards incident response planning. But what is that? How do you create such a plan? And why does the very future of your business hinge on this single strategy?
These are the questions we will answer today.
What is Incident Response?
Incident response is, as the name suggests, your business’ coordinated reaction after a security breach has occurred. Consider a physical injury – your first actions would be to call emergency services, check on the victim, and perform first aid. Incident response is the same thing, but for cyber security.
Incident Response vs Disaster Recovery
Incident response is often confused with disaster recovery, but they aren’t quite the same thing. In short:
- Disaster Recovery: Focuses on healing from the immediate aftermath of an attack and restoring normal operations.
- Incident Response: The overarching plan that covers everything from initial detection to long-term damage control.
As you can see, disaster recovery is essential. But it is just one piece of a comprehensive incident response plan. Both are necessary to ensure a strong cyber defence and protect your business.
The Benefits of Incident Response Planning
It may seem pointless to invest in planning for a future that may never play out. But it’s essential to understand that an attack can always happen. If it does, your level of preparation will make all the difference.
Proper incident response planning provides your business with several important advantages:
Stronger Business Continuity
During an active cyber-attack, you will typically have no choice but to shut down operations. This prevents the threat from spreading any further, but at the cost of your productivity. The financial impact, especially if downtime lasts for an extended period, can be steep.
Strong incident response procedures get your systems back online faster, allowing work to continue as normal. This translates to fewer dollars wasted, higher staff morale, and continued income.
Reduced Damage
Financial losses aren’t the only ones incident response planning can protect you against. A short recovery time limits the ability of threat actors to move laterally within your network. This prevents them from deleting or stealing data and damaging other crucial parts of the IT infrastructure.
Maintained Trust
A breach endangers the data of both clients and team members, potentially causing severe reputational damages. The faster and more coordinated the response is, the more professional you seem. This can help you maintain positive relationships even during the worst-case scenario.
Fewer Regulatory Issues
Data protection is strictly regulated across the world, and your business will be held accountable for any breaches that compromise sensitive information. Effective incident response planning helps demonstrate your commitment to security, reducing the likelihood of fines and other penalties.
A Safer Future
Incident response doesn’t just protect you from breaches that already occurred. By learning from past attacks, you can strengthen your defences and address vulnerabilities. This makes you significantly less likely to experience another breach in the future.
The Consequences of Being Caught Off‑Guard
Without an incident response plan, your business is likely to collapse into chaos the moment an attack occurs. Staff will panic, leaders will be confused, and recovery efforts will be hindered. The consequences can include:
- Longer outages as your team scrambles to solve the problem
- Expensive mistakes, such as wiping crucial evidence or notifying stakeholders too early
- Re-infection if the root cause was not correctly identified
- Staff turnover and client churn
- Lawsuits and fines
Cyber Incident Response Planning: A Step‑By‑Step Guide
Now that you understand why a cyber security incident response plan is essential, it’s about time you learned how to build one. Use this step-by-step guide to get started:
1. The Team
The success of your incident response procedures will ultimately depend on your personnel. It’s crucial to clearly define who will be responsible for which task. You’ll also need to ensure they understand their role.
Important Roles
- Incident Manager (IM): Leads the response, sets priorities, maintains the log.
- Technical Lead/s: Implement technological measures to remove the threat and strengthen defences.
- Communications Lead: Responsible for internal and external communications (including with your managed service provider, where appropriate).
- Legal/Privacy Team: Advises on regulatory/contractual obligations.
- Public Relations: Coordinates your interactions with the public, alongside your communications lead.
2. Detection and Triage
Develop a process for threat identification. Many businesses choose automated software for this task, as it is relatively low-cost and capable of monitoring systems 24/7. Other options include a managed service provider (MSP), or in-house monitoring.
You will also need a triage system to determine how serious a given incident is. This will allow you to sort false positives from minor threats from severe breaches. A traffic light system can be useful here, as it is near-universally recognisable:
- Green: Low or no threat. Capable of causing very little damage.
- Orange/yellow: Mid-level threat. May cause a brief disruption or some data loss.
- Red: Major breach. Large amounts of sensitive data may have been compromised. May severely disrupt business operations.
3. Containment
Once a threat has been identified and classified, it must be contained. The longer it is allowed to spread unhindered, the more harm it will cause. These steps should be included in your incident response plan:
- Isolate affected endpoints from the company network.
- Disable compromised accounts, revoking multi-factor authentication (MFA) tokens if necessary.
- Block attacker infrastructure (such as domains, IP addresses, or accounts).
4. Eradication
Before proceeding, the threat must be thoroughly removed from company systems. You must get this step right. If any trace of malicious software remains within your network, the entire attack could begin anew the moment you attempt reconnection.
- Carefully inspect the entire network and all endpoints. Remove any suspicious or unidentified programs as you go.
- Change login credentials and MFA for all affected accounts. Close all open instances to ensure that threat actors cannot remain logged in. Alter permissions where necessary. Any non-critical accounts that cannot be fully secured should be deleted and re-created from scratch.
- Run additional scans to verify that all threats have been completely eradicated from company systems. If you detect any signs of a problem at this stage, stop and repeat steps 2 through 4. Do not move on until all scans come back clean.
5. Restore Data and Operations
Once you’re certain the threat is no longer present, it’s safe to begin the recovery process. This will include:
- Restoring data from backups as needed.
- Reinstating any accounts deemed safe.
- Gradually reconnecting the network and all endpoints.
It is crucial to monitor closely for signs of re-infection during this stage. It is still possible that a threat was missed. If anything seems off, stop and repeat steps 2 through 4. Don’t rush – it’s important to get this right.
6. Communicate
The moment your systems are safely back online, you’ll need to put out a statement. Transparency is non-negotiable. Your staff and customers will certainly have noticed a disruption, and their continued trust depends on what you say here. You may also need to report the incident to the authorities, under the Notifiable Data Breaches (NDB) Scheme.
Be clear, honest, and positive. Explain what happened, how your company has responded, and which data (if any) has been compromised. If you suspect that sensitive personal information has been stolen, provide guidance for affected individuals. Explain what you are doing to prevent this from happening again. Check whether you’re required to report this incident, and do so if needed.
7. Perform a Post-Mortem
The incident may be over, but your job isn’t. Analyse the entire event from beginning to end, and determine what went wrong. How did the attackers successfully breach your defences? Was a specific vulnerability exploited? Were staff members involved? This information will be essential moving forward.
Document your findings in triplicate, and store them in a safe location. Should you need to liaison with regulatory bodies, this will be invaluable.
8. Improve Your Security
Finally, use the information gathered during your post-mortem to upgrade your cyber security plan. Close any previously unaddressed vulnerabilities, perform additional staff training, and implement new measures. These steps will help you avoid a similar incident occurring in the future.
Incident Response Plan Examples
Here are two brief incident response plan example scenarios. These will help solidify the process in your mind, and can even be used during training.
Example 1: Ransomware in a File Server
- Trigger: EDR flags mass file modifications and ransomware note creation.
- Containment: Isolate affected servers, disable suspected accounts, block known ransomware domains.
- Eradication: Identify initial access (phishing + token theft), revoke tokens, patch vulnerable edge device, remove persistence.
- Recovery: Restore affected shares from last clean backup, enforce least privilege on shares, enable immutable backups.
- Comms: Notify all staff of temporary file share downtime due to attack. Notify customers only if client data has been affected.
- Lessons: Harden MFA, encrypt data.
Example 2: Business Email Compromise (BEC)
- Trigger: Finance alerts to unusual supplier payment request.
- Containment: Force logoff and reset credentials for impacted mailbox, invalidate refresh tokens, review mailbox rules and forwarding.
- Eradication: Remove malicious rules, check OAuth consents, investigate lateral movement into SharePoint/Teams.
- Recovery: Enable conditional access/MFA, re‑educate finance on out‑of‑band payment verification.
- Comms: Notify potentially affected external contacts, consider credit watching if sensitive data was exposed.
- Lessons: Additional access controls and phishing scam education required.
Additional Tips and Best Practices
Here are some extra things to keep in mind during incident response planning:
- Document Everything: Clear documentation is your best friend while dealing with an emergency. It allows you to demonstrate compliance to authorities, and track important events. Keep copies of your plan in writing, stored in separate, safe locations. Log all actions taken during a crisis, and who performed them.
- Plan for the Worst: Remember that a cyber-attack isn’t the only type of incident your business can experience. There could be an office fire, for instance. Plan for all normal systems, including workspaces and communications, to be unavailable during a crisis. Have a backup plan for everything.
- Practice Makes Perfect: Don’t assume your plan will work in a real-world scenario. Test and practice it, using simulated emergencies. This will help you identify and solve any issues early.
- Use a Framework: Some organisations (such as the National Institute of Standards and Technology, or NIST) provide frameworks to help you get started. It’s a very good idea to follow these, particularly if this is your first time.
- Revise Regularly: As your business changes and new threats emerge, your incident response plan might become obsolete. Review it regularly (at least once every year, or after any emergency). Take notes on what needs improvement, and adjust your plan accordingly.
Plan Now, Prevent Problems Later
You can’t stop the worst-case scenario from happening – but you can prepare for it. Incident response planning is an important step that minimises damage and protects continuity. With your plan in hand and a well-trained team at your back, you can turn even the most frightening emergencies into another day at the office.
Do you need a fresh pair of eyes on your cyber security? The experts at PCC will take a look at your existing measures, identify gaps, and provide you with an actionable strategy for improvement. We’ll even update the plan if you experience a cyber-attack, to help you prevent a re-occurrence.
If you’d like to learn more, discover our cyber security review process today.
FAQs
What Is an Incident Response Plan?
An incident response plan outlines the actions your team will take during and after an emergency (such as a cyber-attack). It provides the guideline you need to quarantine the threat, remove it, and then restore normal operations.
Is Disaster Recovery the Same Thing?
Disaster recovery should typically be included as part of your incident response plan, but it cannot replace it. The former specifically focuses on restoration of operations, while incident response covers everything from initial detection to long-term adjustments.
How Often Should We Update Our Incident Response Plan?
Your incident response plan should be updated at least once per year, or immediately after your business has experienced an emergency. This prevents it from becoming obsolete.
Should We Use an Incident Response Plan Template?
Incident response plan templates can be useful if you’re struggling to develop one on your own. However, they should only ever be used as a guide. Always customise it to your specific business needs.
Can a Small Business Really Maintain All This?
Small businesses can absolutely develop and maintain an incident response plan. Remember that it only needs to be as complex as your IT infrastructure, and you can always partner with a managed service provider if needed.
