Cybersecurity Awareness. It’s not just about being aware…

Learn how to help protect your company’s assets and customers from cybercrime with an incident response plan.

It can be said that football is a simple game. You throw the ball, you catch the ball. You block, you tackle. You run, you kick. Touchdowns, field goals; practice makes perfect. Mastering the basic fundamentals is the key to being successful in all aspects of the game. Cybersecurity is no different.

As we celebrate the 15th anniversary of National Cybersecurity Awareness Month, there are several key messages the Department of Homeland Security is promoting to make the business community aware that we all must work together to protect our country from cybercrime. The increased awareness of cybersecurity is very important. However, we should go beyond awareness and focus more on tactics and practical application.

In football, you have a playbook that everyone studies and learns; for cybersecurity in business that playbook is “the incident response plan.” I recently had the opportunity to speak about incident response plans to family-owned businesses located in the Chicago area. Many, but not all, of the companies had incident response plans in place. Unfortunately, many of the employees didn’t know much about them or what was in them and almost none of them review or run through them regularly. 

Although this group of companies would be considered small- to medium-sized businesses, the concepts I presented and shared apply to all businesses regardless of size and industry segment. The main theme I came away with was that companies need to do more to create, implement, and work incident response plans.

In the world of cybersecurity, it’s your business against cyber criminals and fraudsters. Let’s break down the incident response plan so your company can be prepared to take the field and get in the game.

What is an incident response plan?
An incident response plan is a living and breathing document that helps organizations outline policies and processes to detect, respond to, and remediate the impacts of cybersecurity incidents. It is similar to a disaster recovery plan or a pandemic plan except the incident response plan focuses on cybersecurity and impacts from cybercrime.

What are the major components of an incident response plan?
According to the SANS Institute, there are six parts to an incident response plan:

  • Preparation 
  • Identification
  • Containment
  • Eradication
  • Recovery 
  • Lessons Learned

It’s important to realize that each component is a predecessor to the following section. You can’t contain a data breach until you have identified the breach itself. You can’t delete malware until it’s been identified and contained. Most importantly, your business must be able to learn from the plan. If you run a play in your playbook, you must understand how effective it is in eradicating the incident or preventing it in the first place. The next time you run it you may have to tweak it, based on past experiences, to have a better outcome.

What items should my business include in our incident response plan?

  • Definition of the overall plan, policy and scope
  • A listing of all internal personnel and external vendors involved in cybercrime prevention including contact names, related information and roles
  • A methodology to report incidents internally, to customers, and to outside agencies
  • Incident review to identify corrective actions to take to contain or resolve the incident
  • Execution plan to implement and monitor corrective actions put in place regarding the incident
  • Testing schedule to test the plan in conjunction with any related tests like disaster recovery
  • Employee training and awareness policy

Be sure to keep all contacts and roles updated when people leave your company or change jobs. Your playbook should be run, or tested, at least annually so everyone on the team knows their responsibilities. The playbook by itself does no good if the players don’t know about it. Make sure all employees are trained to know that your incident response plan exists, how it works, and what their role is when they are called.

All businesses need an incident response plan. It doesn’t do any good to have it and be aware of it unless you can actually execute it. So when the inevitable happens and you really need it, you will have simulated the game day experience and be more prepared. This will help your company protect its assets and customers from cybercrime.