At a time when cyber attacks are a matter of fact, every business needs a solid and up-to-date incident response strategy. Having stellar incident response plans in place allows firms to respond promptly, communicate with relevant stakeholders, and ensure regulatory requirements are met.
A decent strategy can also help to limit the damage to reputation when a cyber attack hits. Ultimately, this will help to reduce the costs of a breach.
But incident response is changing. With a changing threat landscape and technology such as AI posing its own threats, leaders must develop as watertight an incident response strategy as they can, even as they face budgetary pressures.
Incident response strategy: Steps to success
Previously, incident response aimed to address threats at the organizational boundary. However, as the lines between internal and external environments have blurred, strategies need to adapt, says Ridley. “With the increasing adoption of cloud services in various business operations, the traditional concept of a well-defined perimeter has become obsolete,” he says.
Yet experts agree there is no “one-size-fits-all” approach to preparing an incident response strategy policy. Key components include defined terms to explain what commonly used words and phrases mean, says Sarah Pearce, partner at Hunton Andrews and Kurth.
This could include rules covering specific kinds of incidents, or defining personal data and an escalation process and requirements, she says.
At the same time, firms need to understand regulatory obligations, says Adam Harrison, managing director at FTI Consulting’s cyber security practice. “It is essential to have compliance obligations identified in advance, particularly as many have strict reporting requirements with tight deadlines.”
Regulation needs to be considered by industry and geography. For organizations operating or serving customers in the EU, compliance with the General Data Protection Regulation (GDPR) is crucial, especially when handling personal data breaches and reporting to local relevant authorities, Harrison says.
For example, in the UK, the Information Commissioner’s Office (ICO) requires companies to notify of a data breach no later than 72 hours after becoming aware of it.
In addition, Harrison highlights the role of insurance. “Cyber insurance, for organizations who have it, can play a significant role during an incident. Knowing how and when to engage an insurer and being aware of what assistance they may be able to provide is often overlooked.
Meanwhile, communication is a key part of incident response, says Jeff Watkins, chief product and technology officer at xDesign. “To team members, to HR, to your clients and their customers, and to regulatory bodies such as the ICO. How you frame this will greatly affect the trust in your organization and, done well, you won’t end up in the news for the wrong kinds of reasons.”
Incident response strategy: The good and the bad
Without the right incident response strategy, cyber attacks can snowball into larger incidents, regulatory requirements can be missed, and reputations can be seriously damaged.
You only have to look at past cyber attacks to see the benefits of stellar incident response. The 2015 TalkTalk breach is probably the most publicized example of a badly executed incident response plan in the UK, says Bharat Mistry, UK and Ireland technical director at Trend Micro. “The internet service provider (ISP) took several days to disclose a breach, communicated inadequately with crucial details missing, and its leaders downplayed the severity of the attack.”
Another, more recent example of poor incident response is the LastPass breach, first disclosed in August 2022, says Philip Ridley, head of security response at Adarma. “The initial notification was announced as a minor incident confined to the application development environment. However, by December, the true extent of the breach had spread to include company names, email addresses, billing information, and more.”
US telecoms firm AT&T ran a poor incident response when it was hacked, says Vanessa Horton, cyber incident responder at GRCI Law. “It suffered a data breach in 2021 but didn’t admit this until very recently.”
Conversely, the Norsk Hydro cyber-attack in 2019 is often regarded as a prime example of a well-executed incident response plan, says Mistry. “Norsk demonstrated robust business continuity plans and good levels of engagement with stakeholders, customers, and regulatory authorities in the wake of the ransomware attack.”
Meanwhile, the British Library did an “exemplary job” of sharing lessons learnt and threat intelligence following its recent ransomware attack, says Horton. “When it comes to cybersecurity, we all have a part to play. The Library’s recent report massively contributed to threat intelligence and it’s a great educational resource.
Incident response strategy: Winning on a budget
It’s possible to build an incident response strategy even on a budget. To cut costs, prioritization is key, says Harrison. “Focus on protecting and being most resilient in the areas that are most important to your business.”
He points out that “relatively small and inexpensive steps” can help to elevate your cyber security and response posture. “Employee training, incident simulation, and process and policy development can make a significant difference without breaking the bank.”
Anyone can have a foundational incident response plan in place, even if there is little or no budget, says Christian Scott, COO and CISO at Gotham Security. He highlights “a plethora of materials” available from the Cybersecurity and Infrastructure Security Agency (CISA) and Center for Internet Security (CIS). “These include incident response plan materials, tabletop exercises as well as various tools to help evaluate your security posture.”
The UK’s National Cyber Security Centre (NCSC) also provides online guidance, with its Exercise in a Box scheme providing materials to test an organization’s response strategy for events such as a ransomware attack delivered via a phishing message, a data leak, or an insider threat.
In 2023 the NCSC launched its Cyber Incident Exercising scheme, in collaboration with the CREST cyber community and the cyber assurance firm IASME. This pairs service providers with the business to run tailored cyber exercises, intended to probe their existing incident response strategies.
It’s critical that organizations practice their incident response plan regularly, says Martin Borrett, technical director, IBM UK and Ireland Security “Many businesses have gone from not preparing to undergoing annual practice sessions. While this is an improvement, we should aim to drill cyber security practices at least twice a year.”
Regular exercises and practice scenarios should be conducted to ensure the team is prepared and the plan remains effective and relevant, agrees Harrison. As well as simple table-top exercises, firms can undertake more complex, full-scale simulations, ideally occurring “at least annually”, he advises.
A regularly tested strategy also ensures people’s skills don’t get too rusty, says Horton. “When in a stressful situation like an incident, employees need to feel confident in what actions to take.
“For example, they must not do what is instinctual for many people: shut down their computer. If you do that, you’ll lose key evidence in the RAM.”
Any organization will need to ensure that its plan is updated regularly. Incident response is not a once-and-done activity and those that treat it as such could be setting themselves up for failure or increased damage in the event of a breach.
Harrison tells ITPro that it’s best to treat your incident response as an ongoing process: “Build a roadmap and take a phased approach, recognizing that solving all your problems at once is going to be a challenge on resources as well as finances. A measured program of improvement is likely to be more achievable.”
