Incident Response Planning 101: Simplification and Preparation are Key

People brainstorming with post-it notes, paper, and markers to signify the Tetra Defense Incident Response Planning process

You walk into the office on Monday morning, yearning for a cup of coffee, mentally sifting through your to-do list for the week and bam ­– you learn that your systems fell victim to a ransomware attack and employees are not able to access their essential data to perform daily tasks.

What now?

Well, if you are like 77 percent of businesses, you have no formal incident response plan in place. So, in short, the answer is, “Not sure, but it needs to be fast.” Clearly, being in this situation is not ideal and can add a tremendous amount of stress to an already stressful environment.

While it may seem obvious that your organization needs to have an incident response plan in place, it can seem like a daunting, time-consuming task at the bottom of your already long to-do list. We get it. But, you must start somewhere and taking a minimalist, yet thoughtful approach can put you miles ahead of where you once were if anything goes awry.

Think in flowcharts, not paragraphs

When you finally take the plunge and start detailing your incident response plan, remember that less is more. Many times, organizations go overboard by describing everything in great detail. While this approach seems like simple due diligence, it slows down the response process when your team needs to read through a lengthy plan to understand it rather than reacting and mitigating the damage as quickly as possible.

Rather than lengthy paragraphs, focus on “if this, then that” sequences and outline them with bullet points or a flowchart. You and your team will be able to identify what is complete and what needs to happen next in a simple, at-a-glance manner.

Choose your starters, and your second string

When outlining your incident response plan, carefully determine who needs to be involved from both IT and other departments throughout your organization. It’s best to involve team members from HR, marketing and communications, operations, and management so you can accurately define roles and responsibilities and address your customer’s needs and expectations.

Once you have your incident response team selected, go back through and select a backup person for each member. A data compromise does not solely occur during business hours when your entire team is at the ready. Weekends, nights and holidays are fairly common for compromises solely because attackers prefer limited staff availability as it gives them more time to complete or begin the malicious actions they plan to deploy.

Establishing a backup person for every incident response team member ensures that each department still has representation as you begin to respond to the incident.

Plan for multiple scenarios

So, you’ve created an incident response plan, you think your team is prepared and ready. Then you fall victim to an attack that is in no way similar to the scenario you prepared for. Now what?

We encounter this fairly often as we help clients respond to data breaches and other incidents. As such, we recommend developing a plan that addresses and considers several forms of attack. Ransomware, wire transfer fraud, and data deletion are common attacks that require their own response. For example, if you uncover a fraudulent wire transfer one of the early steps would be to contact your bank to attempt to stop or trace the transfer. If it is a case of ransomware, contacting your bank may not be as high on the list.

If we maintain the “broad strokes” approach, we recommend creating a response plan for the following scenarios:

  • Loss of personnel: This plan of action can be referenced for any staff loss that impacts the organization’s operation. Whether it is a c-suite executive, or the person who manages backups, it is wise to run through the plan to make sure bases are covered.
  • Loss of service: One you never want to encounter, the scenario of service loss can be incredibly critical. The loss of service scenario can cover complete loss, partial loss, and intermittent loss.
  • Loss of physical location: Whether it’s a storm, fire, flood, power outage or anything in between, you’ll want to have a plan in place. Especially because if you don’t, the incident may create a service loss which significantly worsens the situation.

Store the plan in multiple formats

The last thing you want during an incident is to simply not be able to find your response plan. To ensure team members have access, store it in a secure location in the cloud and print a copy for each member of the incident response team to store in their desk.

If you have a designated conference room or space to report to (yes, we recommend this), keep a printed copy in that room, as well as a flash drive with it stored electronically.

If you make any changes to the plan, be sure to print new copies and distribute accordingly. When an incident occurs, you will want everyone to be looking at the same plan to avoid any confusion or missteps.

“A plan is not a plan unless it’s tested.”

These words of wisdom from a mentor could not be more accurate when it comes to incident response. You can plan and outline all of the possible scenarios, but if you never run through a mock-incident how will you ever know if it works?

Your test can be as simple or as complex as it needs to be, just so long as you test it. You will want to set up the test scenario in a way that does not actually obstruct normal business operations.

Tabletop exercises are quite effective and don’t consume large amounts of time. You will need to assemble your incident response team in a room. The leader of the team chooses a scenario like a ransomware attack, or even a natural disaster. From there, the team can follow the roadmap and call upon each person to explain what they would do, in what order.

If you run into hiccups, delays, or confusion, document everything. After the test is complete, you can circle back and address the gaps to ensure that your next test is more successful.

A winning effort begins with preparation

We talked about some basic best practices for incident response planning but did so in fairly broad strokes because we understand that needs and threats drastically vary from organization to organization. The main takeaway we want to drive home is that spending time on this topic is extremely beneficial and will lessen the impact of a dreaded security incident.

If you have questions about how to construct your organization’s incident response plan, our team is here to help.

Check out some related content on our blog: