It's common that many companies have response plans but don't truly operationalize them!
With cyber criminals successfully targeting organizations of all sizes across all industry sectors, organizations need to be prepared to respond to the inevitable data breach.
A response should be guided by a response plan that aims to manage a cyber security incident in such a way as to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs.
Here are 10 principles to guide companies in creating and implementing incident-response plans:
- Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
- Develop a taxonomy of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
- Develop easily accessible quick-response guides for likely scenarios.
- Establish processes for making major decisions, such as when to isolate compromised areas of the network.
- Maintain relationships with key external stakeholders, such as law enforcement.
- Maintain service-level agreements and relationships with external breach-remediation providers and experts.
- Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
- Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
- Identify the individuals who are critical to incident response and ensure redundancy.
- Train, practice, and run simulated breaches to develop response "muscle memory." The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers' awareness and fine-tuning their response capabilities.
An effective incident response plan ultimately relies on executive sponsorship. Given the impact of recent breaches, we expect incident response to move higher on the executive agenda. Putting the development of a robust plan on the fast track is imperative for companies.
When a successful cyber attack occurs and the scale and impact of the breach comes to light, the first question customers, shareholders, and regulators will ask is, "What did this institution do to prepare?"