A big part of what helps keep costs under control when crisis strikes is having an effective incident response plan in place, which formally details the assets that need to be protected and who should be involved at each stage should these things come under threat. Not only can this minimize the financial impact, but crucially, it can also help protect reputations and strengthen defenses against future incidents.
Luckily, building an incident response plan doesn't have to be difficult.
Here are three simple things businesses can do to lay the groundwork for their plan:
1. Determine what they have and what they need to protect
What hardware do they have? What software do they use? What kinds of data do they hold? Which things are the most critical to their business operating smoothly?
Businesses should ask these questions to start identifying their most business-critical digital assets as well as where their unique weaknesses lie, such as a high reliance on certain systems, frequent wire transfers, or a lack of employee cyber awareness. Once these have been identified, senior management should be better equipped to make appropriate judgements on cyber security spending and training.
2. Be realistic about the business impact of a cyber incident
According to the National Institute of Standards and Technology (NIST), business impact can be thought of in several different ways. For a cyber event, we suggest looking at the following:
Functional impact: This refers to the loss of present business functionality as well as the future impact on the business if the incident is not contained. Businesses should consider what would happen if they lost one, several, or all of their IT systems for a day, week, or much longer. Do they have alternative, offline ways of conducting business? If so, how much longer would those processes take?
Information impact: Cyber incidents can affect the confidentiality, integrity and availability of their data, which can have a regulatory impact due to reporting requirements - for example, the GDPR in the EU or HIPPA in the United States.
Recoverability from the incident: The size and type of any cyber event they experience will impact the resources and time required to recover from the incident. By having recovery plans in place, such as off-site backups, they will be in a much better position. We recommend mapping out how they would recover from a ransomware attack, business email compromise events, wire transfer fraud, and data breach.
3. Create a defined communication plan
To successfully deal with a cyber incident, a communication plan is key.
Firstly, businesses should consider who they need to speak to in the event of a cyber incident and in what order. They should consider their cyber insurance provider, law enforcement, regulators, external clients or stakeholders, employees, the media, and make a list of names and phone numbers. For all types of events, we suggest they contact their cyber insurance provider first, as a good incident response team will understand the nuances of crisis communications.
Secondly, they should ask what statements can they prepare in advance. Preparing coherent statements with stakeholders in advance can save valuable time if crisis strikes. They should do this for a full range of incident types.
If businesses consider the above three incident response suggestions, they'll have already laid a substantial amount of groundwork towards their plan. Businesses should get their thoughts down on paper and always remember to save their plan separately to their company systems, which they may not be able to access during a live incident.