Skip to main content

10 Tips for Cyber Incident Response Preparedness

Being prepared helps organizations successfully manage and reduce the operational, legal and reputational impacts of the incident.
Technology and financial advisory services. Business teamwork and working on digital laptop computer with advisor showing plan of investment to clients at table office.

Every organization - big or small, in any industry - faces the risk of a cyber attack. Being prepared helps organizations successfully manage and reduce the operational, legal and reputational impacts of the incident. Below is our Top 10 tips to help your organization effectively respond to cyber incidents

1. Build an Incident Response Plan

A cyber incident is an organization wide issue requiring multiple actions in various domains. Response velocity is key to contain the impacts so having the right team and chain of command ready is critical to success. To achieve this, assign a team member for incident response. List team members, describe their duties in managing incidents and designate leaders to make key decisions throughout the incident.  Include IT operations, IT security, legal, PR, communications, risk management, senior leadership, HR, operations, and vendors.

Next, ensure that incident response leaders are not “in the weeds” managing the response but are able keep a consolidated view on the situation and escalate as necessary. To do this, define your incident assessment and escalation process. Create assessment metrics for incidents where the scores help with triage and escalation procedures. Incidents can evolve quickly and response activation is often delayed because there are many things happening at once with a lack of understanding of the severity of the issue.

It is also important to ensure that organizations communicate to stakeholders at the appropriate time in order to meet your legal and regulatory requirements and maintain stakeholder confidence. It goes a long way reducing future impacts of the incident. Prepare this critical part of the process by setting a communication plan. Define the internal and external stakeholders you need to inform as the cyber incident unfolds, when and how often to contact them and the information to communicate. This includes senior management, law enforcement, regulators, clients, employees, media, and other stakeholders.

In the event of a cyber attack, avoid losing time scrambling to piece together contact information and ensure fast, cost-effective, streamlined, and consistent notification by maintaining a contact list. Have readily available a current and complete contact list of incident response team and vendors, law enforcement, regulatory bodies, clients, employees, etc. Save contact lists in secure multiple locations.

Next, define your response procedure in order to have a game plan to control the situation, address all angles, effectively contain damages, and accelerate restoration of systems and operations. Define protocols and checklists for incident plan activation, response phases and deactivation. You could also develop playbooks for common security events (e.g., ransomware, data breach, denial of service attack, website defacement, email compromise, etc.).

Finally, make sure the response process is recorded as it unfolds, especially in the event of future investigations and lessons learned reviews. Do this by being prepared to track incident timeline and decisions. Record and document incident facts and response actions through to resolution.

2. Conduct Incident Response Exercise

Gain familiarity with Incident Response protocols and roles, enhance team coordination and identify plan improvements to allow for faster and effective response. An untested plan will not be used during a crisis.
Best practice is to conduct yearly incident response exercises. Allow the team to practice its response to a cyber-incident scenario using the response tools and procedures. Provide training as you on-board new team members.

3. Maintain Asset Inventory and Data Map

Incident responders need to know where to look for indicators of compromise. Diagnosis and containment are greatly accelerated with these tools.

For that purpose, make sure to assemble an inventory of devices and software, as well as map the location of where sensitive data is stored. Keep it current!

4. Establish Incident Response Relationships

Pre-established vendor relationships allow for rapidly engaging external legal, forensic investigation, public relations and other experts, at a controlled rate.

To achieve this, cultivate relationships with incident response vendors and other relevant stakeholders before an incident rises.

5. Implement Incident Response Technology

Implementing security technology on your endpoints will help to detect malicious activity, diagnose the severity of incidents and contain or respond from a central monitoring location. You will achieve greater efficiency in both avoiding and containing incidents.

These technical solutions are generally called “Endpoint Detection and Response (EDR)” and should be able to support detection, monitoring, containment, and response to incidents.

6. Collect and Protect Activity Logs

Log analysis allows you to understand attacker’s actions and scope of compromise, identify evidence and effectively respond. Therefore, it’s critical for your response process to collect, monitor, store, and protect logs such as system, user, network events and any relevant activities to detect abnormal actions and investigate security incidents for analysis afterwards.

7. Back Up Systems and Data

Backups are a lifeline to recovery, especially in a ransomware event when attackers seek to destroy backups before launching their extortion attack - so organizations have to pay the ransom to restore systems.

Be sure to maintain offline copies of critical systems and data. Regularly test the integrity of backups. Secure backups with encryption and access control.

8. Prepare for Disaster Recovery

Ensure your ability to restore systems from backups with speed and limit, as much as possible, disruptions to operations and client service impacts. Document procedures on how to restore systems from backups. Test annually the ability to restore critical systems and data.

9. Conduct User Awareness Campaigns

System users can be the first to detect an incident. Regular awareness campaigns tune their reflexes to detect suspicious activity and report it.

Be sure to conduct regular cyber risk awareness campaigns including risk bulletins, phishing exercises, and training on how to report anomalies and incidents.

10. Consider Cyber Insurance Coverage

Insurance is a cost-effective way to transfer cyber risk residual exposure and provides quick access to incident response specialists that mitigates the impacts of a cyber incident.

Consider purchasing cyber insurance to get expert support in incident response and protect your organization from financial losses stemming from cyber incidents