Plan to protect: the importance of a cyber incident response plan

In the wake of the widespread WannaCry ransomware attack which affected businesses and individuals across at least 99 countries – South Africa included – it’s important to evaluate how robust your IT security strategy is.

Too many organisations focus solely on investing in preventative security measures without paying equal attention to response protocol and proactive counter measures. By designing and implementing an effective Incident Response (IR) programme as part of your holistic security strategy, you can ensure that, should the worst case scenario happen, your business is able to respond and recover quickly to limit damage.

At the end of the day, you’re always just one malicious email attachment or download away from potential disaster if you’re not prepared.

Prepare to prevent
A strong IR plan can make your organisation more proactive in ensuring ongoing updates to security infrastructure and preventing small incidents from turning into crippling breaches. This involves putting policies, procedures and response protocols in place for incidents of all levels – clearly defining what steps and actions must be taken should they occur.

An incident is considered to be any event that could, if unaddressed, lead to interruption or loss for a business. This can be anything from a virus infecting a single computer, to a server being hacked or a malicious email being opened. When such incidents are not effectively and efficiently handled, they can cause considerable damage over time.

So what does a robust IR plan involve? It starts with a comprehensive audit of your organisation’s security risk profile. Your plan should be unique to your organisation and its specific structure and requirements.

Guide to good response
Regardless of size, every organisation should have always-on security monitoring systems in place and a skilled, experienced incident response team in place and available. Depending on the size and nature of your business this may be an in-house team or an outsourced expert service provider who you can call on 24/7.

These are some of the most important things to consider when creating your IR plan:

  • Keep it simple
    Policies must be practical so they can be initiated quickly and efficiently. A plan that is understood is much easier to implement.
  • Know your risk profile
    Fully assess your IT environment – that includes people, technology and processes. Use specialists to help identify weaknesses.
  • Automate where possible
    Most incidents are due to human error so ensure you have automated security processes in place to reduce your risk.
  • Strengthen the weakest link
    Staff are always the weakest link in a network and are susceptible to social engineering hacks. Counter this by putting policies and procedures in place to lessen the risk.
  • Trust your team
    Don’t waste time with red tape. Give your response team the mandate they need to respond as quickly and efficiently as possible when incidents occur. Critical to this is ensuring your response team members all have clearly defined roles and responsibilities.
  • Consistently reassess and update
    Regularly test and upgrade your security systems and ensure new risks are found and planned for.
  • Clear communication
    Breaches need to be disclosed depending on the circumstances – make sure you have a response protocol in place to handle this. If you have a large organisation and multiple response teams, make sure information is shared timeously between them.
  • Build relationships
    Know who you will need to call on in a crisis – don’t waste time in the moment trying to choose the right partners. This includes lawyers, law enforcement agencies, public relations consultants and cyber forensic experts.
  • Tools and training
    Make sure your first responders know exactly what they’re doing by giving them the right tools and continuous training to upskill against new threats. Preferably, have a cyber forensics company on call to assist.

An IR plan should be a non-negotiable for all organisations. By developing it and investing in its implementation, you will be proactively ensuring the protection of your business rather than scrambling to recover from the latest attack.