Your Practical Guide to a Cyber Incident Response Plan

A cyber Incident Response Plan (IRP) can help an organization prepare to reduce the overall impact of an incident. A potential cyber breach incident can be a ransomware attack, a malicious insider, an external attacker that gained access via a phishing campaign or internal human error, among many others. When dealing with incidents, we often say it is not if, but when an incident will occur. How your organization deals with a cyber incident can very well determine its future path.

An IRP is a document that will change every time you use it. An organization should practice its plan and then incorporate lessons learned into the plan to improve it. A well-used method of practicing an IRP is a tabletop exercise. This is best accomplished using an outside vendor who is skilled in planning and executing tabletop exercises. This method will allow for the element of surprise during the exercise and will keep your team guessing as it moves through the experience. Businesses that have used such resources walk away from the exercise with a clearer understanding of their roles and responsibilities and areas in which they can improve.

“By failing to prepare, you are
preparing to fail.”

– Benjamin Franklin

Having a cyber Incident Response Plan can help a business reduce downtime when an incident occurs. Your organization must have a predefined action plan to execute in the event of an incident. This action plan is practiced by your team regularly (at least annually, more frequently is better) so that each member knows and understands their roles and responsibilities. This will make dealing with a real incident more efficient and thorough. The plan will also define key contacts and vendors outside of your organization that you will utilize during an incident such as outside legal counsel, expert incident response teams, cyber forensic experts and even law enforcement if necessary.

Effectively Mitigate Risk with a Program Assessment or Penetration Test

Don’t leave it up to chance that your business’ critical applications, IT infrastructure and devices are resistant to compromise. This month receive 10% off our program assessment or pentest services.

A well-written and practiced IRP helps everyone know their roles. Many businesses have the impression that an IRP is either a function of their IT department or the responsibility of the people who manage the cybersecurity program (which for some is part of IT). They may expect that this plan is siloed within the confines of IT and that the IT or cybersecurity department will handle it. Let us be very clear here; if your organization experiences an incident, your entire organization experiences the incident, not just the IT department. Having clearly defined roles and responsibilities across the various departments of the organization ensures that specific tasks and decisions are made by the correct individuals. Often during an incident, there will be conflicting objectives by different stakeholders, so a clear understanding of decision-makers is important. The IRP defines who those decision-makers are for your organization.

If your organization does not have a written cyber Incident Response Plan, Withum can assist with that. Our Cybersecurity and Information Services Team is available to conduct tabletop exercises with your IRP team to test your plan and find areas for improvement.

Author: Julie Tracy, Executive Cybersecurity Advisor | [email protected]

Contact Us

Contact our Cyber and Information Security Services Team today for a complimentary consultation to discuss drafting or strengthening your cyber incident response plan..