What happens if you implement a cybersecurity framework and still have an incident or a breach? Unfortunately in cybersecurity, you can never be 100% secure. You will always be at some risk of an incident. Even the most sophisticated cybersecurity systems in the world carry a degree of risk. However, an incident doesn’t have to be devastating. With proper root cause analysis, eradication, and a prior risk assessment you can craft an effective incident response plan. This will prevent further damage after an incident and help speed up your responder’s remediation efforts after a security breach.

This is why it is crucial to create and maintain a comprehensive cybersecurity incident response plan. Keep reading to find out what an incident response plan is, how to respond to security events, and how to protect your business network today.

What is an incident response plan?

An incident response plan is a set of detailed instructions or templates created to assist your IT staff or incident response team in detecting, responding to, and recovering from unplanned network security incidents. An effective response plan should be customized for your specific industry and include any regulatory or compliance requirements you must adhere to in the case of a cybersecurity incident. All team members, stakeholders, and your computer security incident response team should be on the same page when it comes to incident response planning. Your business’s incident response plan should include relevant information on the following topics:

Data Loss – Where are my backups stored? In what format? How often do I update my backups? Is this automated or manually performed? How can I access them after an incident? Do I need to notify clients in the event of data loss?

Service Outages – How long can my business survive after a service outage? Who should I contact first after an outage? How quickly can we restore normal operations? How will I notify customers during an outage? Will this impact any critical systems functionality? Do my team members understand our disaster recovery plan?

Cybercrime – In the event of a cyberattack, who do I call first? How quickly can I isolate the infected device/server? Do I have any regulatory or compliance requirements like NIST, HIPAA or GDPR to follow in the event of a breach? How will I train my employees to respond to potential phishing attacks or a ransomware incident after hours? Will my cyber insurance cover a breach? What malware protection do I have in place? How will this impact future incidents? Besides my firewall, what protection do I have in place?

Why do you need an incident response plan?

No network is 100% safe from a cybersecurity breach. Unfortunately, 56% of Americans don’t know what steps to take in the event of a data breach. According to Verizon’s 2019 Data Breach Investigations Report, 32% of breaches involved phishing. Your IT team could work around the clock to implement and maintain cybersecurity defenses, but if the rest of your employees click on suspicious links and reply to phishing emails, this puts your entire business at risk. This is why your business needs a comprehensive cybersecurity incident response plan. After a cyberattack, seconds and minutes matter, delaying your response to an incident or outage can cost your business time, money, and valuable data. An effective response plan will help ensure you and your employees know exactly what to do when an incident occurs and how to mitigate that risk. You should also consider how the incident response process will impact your business continuity efforts.

What is an incident recovery team?

An incident recovery team is tasked with implementing your business’s incident response plan. These are usually members of your IT staff who collect information, preserve data, and examine post-incident-related metrics. If your IT staff or MSSP (managed security service provider) is not well-versed in compliance they may need to consult with lawyers who can ensure any legal obligations your business has in the event of a breach following incident handling.

The NIST framework offers a 4-step incident response process:


Detection and Analysis

Containment, Eradication, and Recovery

Post-Incident Activity

Incident Response Planning:

Segment Your Data

First, critical data and affected systems on your networks should be segmented. Too often, companies store all of their data in one place meaning that if a cyberattack occurs they may be in a position to lose everything. By segmenting your data you ensure that if a breach does occur, losses will be far less severe than they otherwise would.

Have an IRP: Incident Response Plan

An Incident Response Plan is absolutely critical to ensuring that your organization can respond quickly and effectively to a security incident. An IRP should designate an individual to be responsible if an incident does occur, along with an incident response team to aid that person. It should include elements such as how to report a suspected incident, who to call, and what measures should be taken immediately to reduce the impact of the data breach. After an incident, you should discuss lessons learned.

Perform Threat Hunting

Threat Hunting involves proactively hunting for vulnerabilities before the incident occurs. This can help familiarize your team with the network and data storage locations as well as get them experience in searching for potential compromise. You can use threat intelligence software while performing threat hunting or use a SIEM or security operations center. You can also empower and secure your business using open-source security tools like intrusion detection systems and open-source threat intelligence feeds. You should also consider how your IR plan will impact your security policy in the short term and long term. In addition, ensure that you have active network monitoring services.

Train Your Employees

Your employees need to know what to do right away if an incident occurs. In many cases, untrained employees may ignore a security incident, or worse yet try to hide it out of fear of repercussions. This can cost your company valuable time in which you could be responding to a breach. Security Awareness Training is one of the most cost-efficient ways to reduce the risk of breaches and incidents. Studies show security-related risks are reduced by 70% when businesses invest in cybersecurity awareness training. Humans and technology need to work together to detect and respond to cyber threats. Management of the urgent IT security problems like social engineering, spear-phishing and ransomware attacks is an absolute must if companies expect to stay safe.

Contact Touchstone Security today to learn more about building an effective cyber security incident response plan.

Get a free 60-minute compliance evaluation with a senior-level CISO

Contact Us