Companies that don’t take the time to develop a security incident response plan pay a high price when the inevitable breach happens. 

According to IBM, organizations with incident response teams and plans spend about $1.2 million less on data breaches than companies without preparations in place. 

However, in IBM’s recent report “The 2020 Cyber Resilient Organization Study,” the company found that about 51% of companies have only an informal response plan that is often applied inconsistently.

Building an incident response plan and testing it is an investment of time and effort that will reduce stress and costs. 

SEE: Incident response policy (TechRepublic Premium)

What to include in a incident response plan

IBM security experts recommend that security teams take time to understand the top threats in their industries and prepare detailed response plans to a specific kind of attack.

Establishing a clear communication strategy is a must for any incident response policy. Daniel Eliot, director of education and strategic initiatives at the National Cyber Security Alliance (NCSA), said clear and comprehensive communication should be a top priority during all security breaches.

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
“Without a clearly articulated chain of command and both an internal and external communications strategy that brings all the right people to the table, the quality of the response gets diminished,” he said.

Jerry Ray, chief operations officer at SecureAge, said incident response plans need to take into account how to allocate resources depending on the criticality of the infrastructure components affected by the breach. This could mean prioritizing immediate remediation of the attack or restoration of a mission critical server or forensic analysis of the mechanism of the attack. 

“The order and allocation will be entirely dependent on the attack vector, the system(s) attacked, the data exfiltrated, the IT staff available either in-house or on contract, and the general industry or business line of the victim,” he said.

SEE: Incident response policy (TechRepublic Premium)

Prepare for the aftermath

Often incident response policies focus on what to do before and during a breach, but it should also include steps for what to do after an incident.

For example, Eliot said that documentation often gets neglected in the aftermath of a breach/.

“Document the lessons learned, and then develop and implement a strategy to reinforce these learnings across the enterprise,” he said. “If you don’t learn from your mistakes, you’re bound to repeat them.”

Eliot said companies recovering from a security breach should answer these questions:

  • What went wrong in our response? 
  • What went right in our response? 
  • How can we reduce the chances of this happening again? 

Ray added that another important follow-up task is to do a total review of all the tools, policies, and settings within the system that suffered the breach. 

“Typically, the single point of failure is somehow revisited and shored up or patched as if that was the only weakness,” he said. “In reality, the entire security blanket needs to be unwoven, as the ineffective components may have led to or created that point of vulnerability, which on its own may not have been vulnerable.”

SEE: Incident response policy (TechRepublic Premium)

Eliot also recommended that IT teams loop in legal counsel after an attack to understand any applicable reporting and notification responsibilities under national and international data breach laws.

TechRepublic Premium’s Incident response policy will help your company set a plan for immediate action as well as develop follow-up tasks after a security breach. The policy includes guidance on assembling a response team and the responsibilities of every person on that team.

This Incident response policy gives you a comprehensive start on a plan and allows you to customize it to fit your company’s particular needs.