How to Create an Incident Response Plan
- Netacea, Agentless Bot Management
8 minutes read
An incident response plan helps protect your business, customers, and finances in the event of a cybersecurity incident, or any kind of business disruption. It’s essential for business recovery and continuity as advanced and unknown cyber threats continue to gain ground.
Most companies don’t yet have an incident response plan. Only 19% of UK businesses have a formalized response plan, while just 46% of US businesses have a specific response plan for at least one major type of cyberattack. In fact, the number of businesses with an incident response plan for advanced persistent threats, insider incidents, and email fraud dropped from 2020 to 2021.
If you don’t already have one, creating an incident response plan should be a priority for any online business. Cybercriminals increasingly target SMEs that have fewer cybersecurity measures in place — so all kinds of businesses are vulnerable. Having an incident response plan in place helps contain and mitigate the impact of an attack, so you can get back to business more quickly.
In this article, you’ll learn:
- why you need an incident response plan
- what your incident response plan should include
- how to create, implement, and test your incident response plan.
What is an incident response plan and why do you need one?
An incident response plan is a clear, actionable process that should be followed when you suspect or detect a threat to your business. Threats include cybersecurity incidents such as ransomware, malware infection, data breaches, and account takeover, as well as unauthorized physical access to your offices or servers.
Cyberattacks can cause immeasurable damage to your reputation and your profits. Many companies have already racked up several million dollars in data breach fines and penalties. Identifying and mitigating an attack also costs time and money — especially if you’re caught off-guard.
An incident response plan helps you make fast, smart decisions to minimize the impact of an attack. It ensures staff know what to do in the event of an incident; your customers and data are protected; and you can identify flaws in your current cybersecurity systems. Incident response plans are also necessary for meeting certain standards, including ISO27001 and PCI DSS.
What makes a good incident response plan?
- Simple — use clear, unambiguous language and directions, so all stakeholders can understand and follow the incident response plan
- Accessible — all stakeholders should be able to refer to the incident response plan whenever they need to
- Flexible — include enough detail for staff to tackle virtually any threat, without making it cumbersome and complex
- Visual — use flowcharts, matrices, and scoring systems to help visualize and quantify incident impact
- Valid — test your incident response plan regularly to identify and address any flaws.
What should your incident response plan include?
Your incident response plan should outline who’s involved in the response; what their responsibilities are; and how they can record their actions. A basic incident response plan will include:
- Stakeholders and responsibilities
- Escalation criteria
- The core response process, which covers all incident phases
- Legal or regulatory procedures you need to follow.
Make your plan easy to follow by including guidance on specific incident types. You can also include checklists and forms to make sure all steps are followed, and the response is recorded correctly.
How to create an incident response plan
According to the NIST Computer Security Incident Handling Guide, there are five key incident response phases:
- Detection and analysis
- Containment and mitigation
- Review and recovery
Creating an incident response plan is the first step in the preparation phase; but you’ll also need to plan for each of the other phases within this.
Follow these steps to create your business-specific incident response plan.
Identify threats to your business
Different types of business are vulnerable to different threats. For example, eCommerce companies are more likely to be targeted by scraper bots and scalpers, while banks and other financial services are more likely to experience fraud and data theft.
Knowing which threats are most likely to create problems in your business can help you prioritize and prepare your response.
At this stage, you should also audit the effectiveness of your existing security systems, such as web application firewalls and network intrusion detection systems. Make any necessary upgrades or patches, and ensure the systems are fit for purpose. Arrange regular backups of your essential data so you can restore your systems swiftly if needed.
Establish a threat detection system
Create a formal process for monitoring your systems and networks for threats. Some businesses entrust this to their staff, though more companies now rely on AI-based threat detection, as it’s much faster and more accurate than human monitoring.
That said, your staff should still be able to recognize a threat and know how to report it. Set up regular training sessions for your staff to keep their knowledge up to date.
Create a severity matrix
Establish a system for categorizing threats based on severity. You can use the CIA security triad as the basis of your matrix:
- Confidentiality — to what extent has the incident exposed data to unauthorized users?
- Integrity — to what extent has the incident impacted the reliability of your data and/or networks?
- Availability — to what extent is the incident affecting your business operations?
Use this triad to classify incidents into critical, high, medium, or low levels of severity. For most businesses, critical incidents are those that leave most staff unable to work, have a serious financial impact, or will cause significant unrecoverable data loss. Low-impact incidents usually have no or very limited impact on business output, data integrity, and finances.
Create an escalation plan
Your escalation plan outlines who should deal with an incident. This depends on the type of incident and its severity.
Low or medium-level incidents can often be resolved by managers or the IT team. High-level and critical incidents are often escalated to the Chief Information Officer or another member of the C-suite.
Ultimately, the escalation plan is about decision-making. You must decide who’s responsible for making business-critical decisions at each level of severity.
Establish the core response plan
Your core response plan contains specific actions your team will take to analyze, contain, eradicate, and recover from the incident.
- Analysis — first, confirm the threat isn’t a false positive. Then classify the threat based on your severity matrix, and escalate to the appropriate team member. Establish if, when, and how you will communicate with customers
- Containment — decide how you will reduce the impact of the attack with minimal disruption to staff, customers, and users
- Eradication — establish how to eliminate the threat altogether
- Recovery and review — restore your systems (from a backup if necessary) and finalize any remaining tasks (such as informing customers and regulators or issuing a media statement).
Most core response plans are non-linear. When you’ve put containment or eradication measures in place, you’ll need to continually monitor and analyze the impact of these and update your mitigation measures in response. Create a flowchart to show the cyclical nature of your incident response plan.
Fix flaws in your incident response plan
Address any vulnerabilities or gaps in your incident response plan. You may need to hire or upskill cybersecurity staff to ensure they can deal with advanced threats. You might also need to introduce new processes (such as taking regular data backups) or implement new systems.
Brief any staff who have responsibilities in the incident response plan. Make sure they have the confidence and expertise to carry out their role.
Incident response plan examples
Here’s an example incident response plan flowchart created by the UK’s National Cyber Security Center:
The US Cybersecurity and Infrastructure Security Agency has also issued a detailed National Cyber Incident Response Plan. This outlines the federal government’s response plan for tackling cybersecurity incidents involving government or private sector organizations.
How to test and update your incident response plan
Threats are constantly evolving. Your plan should be tested regularly to make sure it holds up against the most advanced attacks.
- Penetration testing — locate vulnerabilities with regular pen testing so you can patch and upgrade your security systems
- Incident simulation — internal simulations ensure all staff know what to do when real incidents arise
- External incident response testing — get recommendations from security experts for how to improve your incident response plan
- Test for various scenarios — make sure you know what to do if your CIO is away, or you’re hit by an unanticipated attack type.
Top incident response tips
Don’t be too hasty
Overreacting to an incident can cause unnecessary damage to your reputation and/or your user experience. Avoid making rash decisions by following the incident response plan closely and escalating to more senior team members if needed.
Have a backup plan
Contingency plans are helpful for keeping your operations running. Make sure more than one person can carry out each task, so you’re covered if staff are out of the office. Introduce backup servers to keep your business online in case of an error or attack.
Use reliable, accurate threat detection systems
Fast, accurate threat detection can be the difference between a low-level incident and a full-blown crisis. Netacea’s bot detection software has a false positive rate of 0.001% — and with a machine learning engine, it identifies automated attacks faster than any human. Learn how Netacea detects and mitigates bad bots.
Schedule Your Demo
Tired of your website being exploited by malicious malware and bots?We can help
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.