Pagoda Blog

If your business experiences a data breach or other network security incident, you need to have an Incident Response Plan (IRP) in place. An IRP is a step-by-step guide outlining what should happen before, during, and after a network security incident. It is intended for your IT team so that they have a set of instructions to follow when a cyber attack or service outage takes place. 

 

A data breach, malware attack, or even a run-of-the-mill network outage can cause significant financial losses and long-term damage to your brand’s reputation. Any disruption to operations means potentially losing new (and current) customers which can be a fatal blow to SMBs. An IRP ensures that everyone on your team knows how to react to a network security incident   

 

It’s important to note that an IRP is in addition to a disaster recovery plan. A disaster recovery plan provides your IT team with a guide for how to respond in the face of a natural disaster such as flooding or fire. 

 

How to prepare for an effective IRP

Before you create your IRP, it’s important to complete the following so that your plan is effective: 

 

1. List your IT assets   

Before you’re faced with a network outage, identify and list all your IT assets such as networks, servers, and endpoints and where sensitive data is stored within these assets. Set up regular monitoring of these systems so that your IT team can more easily detect any anomalies and react quickly should a security incident arise.     

 

2. Backup your data  

Data backups are crucial in the face of a network security incident. Your data is the most valuable part of your business — and the most vulnerable — so make sure you’ve identified the most critical data and implement a secure backup (preferably offsite) for those relevant systems. In your IRP, clearly notate the location of each backup and what data it contains. This way, your IT team can quickly retrieve your most crucial data should you get locked out of your network, minimizing downtime and financial losses. 

 

3. Create an Incident Response Plan Policy

The National Institute of Standards and Technology or NIST has an incident response plan template intended to aid all businesses in preparing for a network security incident. Before creating your IRP, they recommend creating an IRP policy. This policy should include the following (adapted from NIST’s IRP policy framework): 

 

- Purpose and objectives of IRP 

- Who the policy (and the plan) applies to and under what circumstances

- Definition of computer security incidents 

- Definition of roles and responsibilities 

- Severity ratings of incidents 

- Performance measures

- Reporting and contact forms

 

Taking the time to complete an IRP policy will force your team to think through all potential security threats and the outcomes of each. This level of preparation will go a long way in ensuring a highly effective IRP.  

 

How to create your Incident Response Plan 

The NIST recommends that your plan include four stages. Breaking it down in this way will help your team understand what components of the plan should take place before a security incident occurs, what should happen during the event, and what steps should be taken after the event.  

 

The 4 stages of an Incident Response Plan per NIST: 

 

1) Preparation 

2) Detection and Analysis

3) Containment, Eradication, and Recovery 

4) Post-incident Activities 

Preparation takes place before a security incident occurs. It involves the steps outlined above and should also include taking precautionary measures to mitigate the risk of a network security incident. These measures include keeping your software up-to-date and downloading the latest security patches, installing firewalls, providing regular cybersecurity training for your entire team, and having a multi-layered cybersecurity strategy in place. 

 

Detection and analysis also takes place prior to a security incident. It is the process of regularly monitoring your data and systems in order to be able to identify any anomalies that could indicate a security threat or incident.

 

Containment takes place during the incident and is intended to stop the incident before it causes major damage. Containment can only occur with effective preparation and detection and analysis so that your IT team can identify the threat early. Eradication and recovery is when your IT team removes the contained threats from your system. This means deleting any identified malware and shutting down or updating passwords to compromised accounts.    

 

Post-incident activities allow a business to learn from the security event and adjust their IRP accordingly. According to NIST, this stage of the IRP is the most important but also the most neglected. Take the time after the network security incident to ask your team the following questions: 

 

- What happened, at what time?

- How well was the staff performance? 

- What information was needed sooner? 

- Did any steps inhibit recovery? 

- What would you do differently next time? 

- Could information sharing be improved? 

- Can corrective actions be implemented? 

- Were additional tools or resources needed?

 

The key components of an IRP

There are several key components of an IRP that will help ensure your business can react swiftly and effectively in the face of a security incident. Within your plan make sure to include the following:  

 

Roles and responsibilities for IRP team members 

The NIST recommends these roles include an IR manager, security analyst, and threat researcher. How many people are on your IRP team (and whether you have one or multiple response teams) will depend on the size of your business and associated network(s). 

 

A business continuity plan 

While your IRP team handles a network security incident, how can your employees keep operations running? If your business operates onsite, outline a plan for your employees to work remotely. (These 9 security tips for working remotely are a great start.) This plan should also include how to give employees access to your data backups and if they need to change passwords to any accounts.  

 

List of critical network and data recovery processes 

As mentioned earlier, having data backups in place is essential to mitigate the damage of a security incident. Make sure you outline in your plan where these backups live and how team members should go about retrieving them if your network is compromised. 

 

Outline of internal and external communications

In the face of a security incident, who should be alerted first within your team and when and how will remaining employees receive notification of the incident? Do you have a backup communication plan in place? During a security breach, hackers may shut down or monitor your email, collaboration platform (such as Teams or Slack), and phone system. It’s critical that your IT team has a communication system that’s separate from the compromised network so they can securely notify team members of the response strategy.  

 

How will you alert your customers and how much information will you share? Clearly outlining how to communicate with your employees and customers during this time is critical to containing both the damage to your data and systems but also the damage to your brand. Mishandling a security incident can quickly erode trust both internally and externally. Check out our post on how to notify your customers of a data breach for more details. 

 

Is your business prepared for future security incidents?

Network security incidents (data breaches, malware attacks, unplanned network outages) happen to all businesses — your level of preparation is what determines whether you come through relatively unscathed or scrambling to recoup lost revenue and reverse significant damage to your reputation. 

 

Want help creating your own customized Incident Response Plan? Reach out today to see how we can help your business. 

 

Feature Photo by LinkedIn Sales Solutions on Unsplash

Related reading: 

You Won’t Qualify for Cyber Liability Insurance Unless You Meet These Requirements

How a Cybercriminal Identifies Their Next Target

Why Your Organization Needs a Cybersecurity Culture 

 

Want to get more posts like these in your inbox? Sign up for the Pagoda newsletter and we’ll send you the occasional email with content that will sharpen your technical skills, from cybersecurity to digital marketing. 

 

Did you know we also have a weekly LinkedIn newsletter? Make sure to subscribe for weekly actionable IT advice and tech tips to set your business up for success.

 

-------------------

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.