Guide to cyber security incident response planning

Darren Chapman, Director and Principal Consultant at CyberScale, talks us through cyber security incident response planning (IRP). We look at why all businesses should have a plan in place as part of a robust cyber security process, how you can go about putting an IRP together, and some of the other ways you can protect your business from the threat of cyber attacks.

• Who should have a cyber incident response plan (IRP)?
• What elements make up a cyber security incident response plan?
• What else should businesses be doing to protect their cyber security?
• How do I develop a cyber incident response plan?

With a multitude of risks facing businesses, and cyber criminals constantly developing more sophisticated ways to keep ahead of defences, 100% prevention relating to cyber-attacks is impossible. To this end, organisations also need to invest in risk mitigation and ensuring that they can get their business up and running again as quickly as possible post attack. No technical solution can create full protection, so bringing in people and process to the mix is fundamental.

The UK Government Cyber Security Breaches Survey 2021 reports that “Most organisations (66% of businesses and 59% of charities) do report having some sort of formalised incident response process”. However, this is slightly misleading as the respondents are asked whether they do one of seven possible things within their organisation, not whether they have a full plan in place.

Who should have a cyber incident response plan (IRP)?

All businesses and organisations that manage data or personal information are potential targets for cyber criminals, there are no organisations too small or unattractive to attackers. It’s common to hear smaller businesses say that they aren’t a big enough or attractive enough target for cyber criminals, however it is often easier and more damaging for hackers to target smaller organisations.  When you suffer a security incident how you deal with it in terms of detection, response, communication, and recovery will define the level of impact it has on your business.

Ensuring that a business is set up to respond depends heavily on the investments made in building an appropriate incident response plan and management approach. All organisations should ideally have some form of incident management process in place appropriate to their size and structure, ensuring that it is able to be initiated quickly and not reliant on detailed technical expertise or complex processes. Primarily, focus must be on getting the business back up and running again as quickly as possible.

What elements make up a cyber security incident response plan?

The development of an incident response plan focuses on four key areas of consideration that should be developed in-line with the specifics of your business by a Cyber Security specialist. These are:

1. How can I best protect customer, personal and sensitive data?
2. How can I best detect and respond to incidents effectively and in a timely manner?
3. How can I ensure appropriate communications & responsibilities are in place and understood?
4. How can I get to a safe & effective resolution enabling a quick return to business-as-usual?

Effective delivery of an incident response plan requires the business to have an incident response team in place with tasks embedded into their core roles. The team responsible for delivering the plan in the face of a cyber-attack needs to represent all areas of the business, not just a technical team.

What else should businesses be doing to protect their cyber security?

Alongside a well-developed incident response plan, organisations can further bolster their cyber defences by ensuring that they have cyber insurance in place. For some businesses this is going to be critical in ensuring a swift return to normal activities.  This policy can cover the costs of network or business interruption, liability, cybercrime, data loss and reputational damage.

The hope for most organisations is that they will never have to enact their incident response plan or make a claim with their cyber insurance provider, but should they become the unwitting victim of a cyber-attack, then cyber insurance kicks in to help them get back up and running with as little long-term damage as possible. Businesses need to be prepared to dust off their IRP to ensure it is still relevant, understood by the business and actionable; a key benefit here is that you are not going to uncover any issues when trying to implement the plan in the real world.

How do I develop a cyber incident response plan?

The two key ways businesses can ensure this happens are;

• Have supporting ‘how-to’ guides in place. Having common scenarios documented gives teams access to information that provides more context to possible attacks.
• Businesses should invest time in undertaking regular incident response exercises. This involves identifying likely incident scenarios and building exercises that test your business’s ability to manage them.

This leads on to thinking about the people element of cyber security, and its impact on keeping an incident response plan alive within a business.  When cyber-attacks occur there is real life experience which the learnings from can be built into the future of the plan. Alongside this is the need for teams to be keeping themselves abreast of what is happening within your industry sector regarding cyber security and cyber-attacks.

The 2021 UK Government Cyber Security Breaches Survey shows that the most common response to any cyber-attack is to make technical changes. This could suggest that fully investigating the root cause of incidents, or preventing people causing issues again, is ignored.  It is increasingly important to encourage proactive investment in protecting your business, as so often we see organisations only doing this post-attack to protect themselves in the future.  Further to this, during and after an attack there would be a greater understanding of the situation and what is required of everyone in the organisation, so applying these lessons learned to the incident response plan ongoing is a key step.

It’s important to remember that according to the 2021 X-Force Threat Intelligence Index from IBM, human error was a major contributing cause in 95% of all breaches reported in their research, so to continually invest in staff awareness around cyber security can bolster all other efforts in the business ahead of any attack.

Lastly, never forget that Incident Management should have a recovery and learning focus and not be about blame.

Find out more about implementing a robust cyber incident response plan in your business here, or to discuss the benefits of adding cyber insurance to your business liability cover, contact Alan Boswell Group on 01603 218000.

CyberScale are a Cyber Security Consultancy and Training provider.  They provide pragmatic IT Security and Data Protection for businesses throughout the UK.  Cybersecurity and data protection can be confusing and hard to keep up with, especially without dedicated staff. CyberScale will translate threats and regulations into what’s relevant to your business, and explain everything in a clear, non-technical way.  Cyber Security is complex so making it simple is key, so you can concentrate on running your business. To find out more, contact CyberScale on 01603 339550 or email [email protected].