Companies are increasingly aware of the cybersecurity risks they face but, with the size and frequency of data breaches increasing, they should also be prepared to handle a security incident if it happens.
The best way to cope? Hit the ground running. Every business needs a well-structured, efficient incident response plan to help to contain a breach and limit its damage.
So what does such a plan look like? At a high level, GCHQ’s National Cybersecurity Centre provides a guide to incident management as part of its ‘10 Steps to Cyber Security’ guidance.
It discusses the need to establish an incident response capability and provide specialist training across a range of technical and non-technical skills. This will be especially important when detecting and containing a cybersecurity threat, and stopping it from spreading further.
The government’s guidance also makes a point of defining the required roles and responsibilities, which is one of the most important components of all. A team is only as good as its players.
To be truly effective, an incident response plan must be multi-disciplinary. When a breach occurs, a company must mobilise not only its technical staff to contain the problem, but also its legal team to assess corporate liability and potentially advise on forensic data gathering.
Other parties must be involved too. Compliance experts must ensure the organisation covers its regulatory bases, which will be an even more important component in 2018 when the GDPR’s strict data protection and data breach notification measures come into play.
Marketing communications executives must handle crisis management and notify other key stakeholders outside the company. Human resources must explore how staff followed policies in the breach (or didn’t), and refine those policies while potentially applying disciplinary measures. Financial staff must assess the monetary impact, and let’s not forget customer service executives who must handle irate customer queries at the ‘sharp end’ of the problem.
Other aspects of a robust incident response plan according to UK government guidance include establishing a data recovery capability, which can be especially important in ransomware cases.
However, an organisation’s incident response plan is only going to be effective if there is C-suite support. Board-level executives must appreciate and buy into the need for cybersecurity preparedness, and allocate the appropriate financial and human resources to support them.
Reassuringly, this is already the case for many of the 48% of companies that do have a plan, according to our 2017 Global Risk:Value report. These organisations allocated responsibility to executing the incident response plan evenly between the CEO (23%), CIO (21%), CISO (22%) and COO (21%).
Finally, executives should communicate a broader security policy to everyone, because all employees play a part in supporting it. If organisations can prevent security incidents with a security policy, they hopefully will never need to pull that incident response team together for active duty.
Now is the time to get ahead of this issue by drawing together key executives and ensuring that both these policies are locked and loaded. In this security climate, they are two of the most important documents a business could have.