Incident response planning: who, what, why and when

In this guide, we walk you through how to prepare for a cyber incident such as a ransomware attack.

Cyber incidents cause significant damage to business and institutions across the world every year. Lost productivity, loss of reputation, confidential data leaks and in extreme cases loss of livelihood.  Accepting the probability that this could affect you and planning for it will significantly reduce the risk and help you to recover faster.  

What is a cyber incident?

A cyber incident is typically defined as any situation where a computer or network is used to inflict damage.

According to the UK's National Cyber Security Centre (NCSC), cyber incidents can manifest in various forms, including denial of service, malware, ransomware, or phishing attacks.

Why plan for a cyber incident?

The UK cyber security breaches survey 2023 noted that businesses with a formal incident response plan are more likely to quickly identify and mitigate breaches, reducing downtime and financial losses.

Incidentally, they also noted that businesses with incident response plans are more likely to implement comprehensive cyber hygiene measures, such as up-to-date malware protection, password policies, and network firewalls which further reduces the impact of cyber attacks.

Having an incident response plan in place will help your team remain composed if a cyber attack occurs.  Panicking and implementing knee-jerk reactions in the heat of the moment can increase the damage done by an attack.

Who should be involved?

The management team as a minimum. Finance, HR, Operations all need to be involved.  There needs buy-in from the owners, board or trustees and you should also involve your IT team or IT support company.  This last point is critical as they need to know how to react in the first instance and when to invoke the plan. 

When should you you do it?

Now! Start now and if you apply the 80:20 rule to get as much done as you can with the minimum effort you will reap the reward.  It's not a one time activity and it needs to be tested at least annually and every time you test it you can make it better.

How to plan for a cyber incident?

By following the six steps below you can create your cyber incident response.

1. Obtain good cyber insurance
2. Identify your cyber response team
3. Document your incident response procedures
4. Document your business continuity plan
5. Document your business recovery plan
6. Test and refine

We'll take each of the above in turn and explain what you need to do to ensure you're ready if the worst should happen.

1. Obtain good cyber insurance

This may seem like an odd place to start but ensuring that you have good quality cyber insurance that will cover you in the event of an incident is crucial as the costs involved in recovering from an incident can be significant.

Your policy should cover:

• the cost of having your IT partner help in the moment of the incident, and in the recovery which can take days or weeks
• legal costs associated with a potential breach
• any compensation that might need to be paid to clients if data is lost or stolen
• you may not be able to operate your business during this time so if you can get cover to ensure your employees get paid this will take a load of your mind

Ideally, your insurer will have a specialist cyber incident team to guide you and your IT partner through the incident and ensure you can make a successful claim. Every insurer will have different requirements for how an incident is handled so it's important to contact them immediately if an incident occurs to avoid your IT team taking any measures that invalidate your claim.

2. Identify your cyber incident response team

Building an incident response team (often shortened to an IRT) with defined roles in the event of a cyber incident is important. It ensures that everyone knows their duties and there's no ambiguity over who is to do what.

You will need to appoint:

A team lead: to coordinate all aspects of your response. This person should be well-connected with the authority to make decisions

A technical lead: to implement your technical response (this may be your external IT partner if you don't have anyone technical within your team)

A legal lead: to liaise with your lawyers and formulate your legal position and response (this may be your lawyer)

A communications lead: to coordinate and manage all internal and external communications

3. Document your incident response procedures

Once you have identified your team they need to plan the steps that should be taken, in the order that they should be taken, if an incident occurs. Ideally, they should formulate variants depending on the type of cyber incident, albeit identifying the type of incident should form part of that documented procedure.

Your structure will look something like this:

The full plan should include contact details for all parties, along with backup contacts in case the primary contact is unavailable.

4. Document your business continuity plan

Your business continuity plan is key to minimising the business's loss of productivity during a cyber incident. We published a guide that goes into the topic of creating a business continuity plan in depth.

This plan should include your documented steps for how and where staff can work when your office or primary IT systems are offline. You need to consider whether:

• cloud solutions can be accessed from another location to allow remote working
• paper records can be kept while systems are offline
• you have redundant servers or cloud-based emergency servers that can be spun up
• you have clean emergency devices in storage that can be brought out and quickly built for key staff
  
  

5. Document your disaster recovery plan

Your disaster recovery plan is the stage that you would implement after your insurance company permits you to rebuild your systems. This is usually only after they have finished conducting their forensic examination to identify the cause and extent of the attack.

This involves rebuilding your computers, servers, networks, firewalls, and other technology from backups. It is becoming more common for attackers to target a company's backups to increase the chance of a ransom being paid to them. It's important to make sure that your backups are kept secure and separate with multiple copies available. 

If the forensic examination has identified the source of the attack, it could be that malicious code is saved in all your backups in which case meticulous restoration at a granular level will be required which will take significant time (and therefore significant cost).

Identify the systems that you need to restore first (security and payroll are usually high on the priority list for most companies) and document the order that you want systems to be restored. This will assist your IT team.

6. Test and refine

Unfortunately, once you've completed the above steps you are not finished.

Your plans need to be practised with staff in dry runs and rehearsals, focussing on different types of pretend cyber incidents.

Each time you run through the cyber response plan you should identify areas for improvement and update your plans until you are confident that they cover as much as you can reasonably prepare for and everyone knows their roles.

NCSC Exercise in a box

The NCSC's exercise in a box is a great place to start with planning and testing your incident response plans.

It's a provides free exercises that cover a variety of scenarios to help you and your senior staff to craft and refine your response procedures in the event of a cyber attack.

Next Steps....

If you would like assistance with your incident response planning then we can help you. Just get in touch with your team of cyber experts today.