Incident response planning plays a critical role in maintaining a robust long-term security posture.
In this blog post, we outline some of the key errors organisations should avoid to ensure that they are ready to manage, minimise and mitigate the impact of a data breach or cyber-attack.
Failing to implement a response plan
The National Institute of Standards and Technology (NIST) defines an incident response plan as:
“The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attacks against an organization’s information systems(s).”
Sources: CNSSI 4009-2015 from NIST SP 800-34 Rev. 1
An incident response plan provides an essential roadmap to enable your organisation to respond quickly and effectively in the event of an incident. Vital time can be lost in setting out a strategy after an incident occurs. With a plan already in place, you can move forward more quickly to manage and mitigate the attack.
The plan should cover all the key information required to inform and guide your response to an incident. This should include the following:
- The parameters for your organisation’s definition of an incident
- Details of the people who will be contacted and included in the incident response
- Details of the people who will perform forensics and analysis
- The methodologies for preserving and collecting evidence
- Specific procedures to restore services
- All the relevant legal and/or regulatory requirements
Failure to consider all of this vital information in advance could lead to serious shortcomings in your response to an incident.
Not understanding your own environment
A clear overview of your on-premises and cloud environments, as well as the security tools and policies you have in place, is an essential foundation of successful incident response.
Having this information on hand and being ready to share it with security experts at the right time supports a comprehensive investigation and provides key indicators about the nature of the incident.
A lack of documentation relating to your environment could increase the costs of an investigation, as incident responders will need to spend time tracking down that information, adding to your fees.
Working with the wrong consultants
In the pressure of responding to an incident, it’s all too easy to rush the decision on which incident response consultants to use. To minimise the risks, it can be beneficial to develop a strong long-term partnership with a carefully selected provider.
A good incident response consultant will aim to fully understand your organisation and meet the specific requirements of your environment. It is important to select consultants with proven incident response experience. You should also check that the incident response experts you choose are available 24/7 remotely or on-site, and flexible enough to meet your requirements cost-effectively.
Not investing enough in incident response
Failing to adequately invest in incident response is a false economy. It can result in higher costs, with organisations scrambling to find consultants when an incident occurs.
An incident response retainer is a cost-effective way to reduce the risks. In addition to establishing a valuable long-term working relationship, the retainer also establishes a clear standard of service for your consultants and enables your organisation to act fast in the event of an incident.
Failing to test back-ups
Back-ups are a vital part of defending your organisation against the impact of a cyber incident like a data breach, particularly in the case of a ransomware infection. It is essential to regularly review them to ensure that they are working as intended. You should also test the restore speed of complete system back-ups to ensure that a fast recovery is possible, whatever the incident.
If like, many organisations, you rely on cloud providers for a variety of services, it is important to check that incident response is covered in your contracts with them. Having the right type of agreement in place with your cloud providers will protect you against the challenge of being unable to access forensic images of your servers, emails and other assets which may be stored remotely.
How Kroll can help
Kroll is a leading provider of end-to-end cybersecurity, digital forensics and breach response services – responding to over 3,000 security events every year. Kroll is well-placed to help you respond effectively to many types of incidents and enhance your organisation’s incident response procedures, with experts on hand 24/7 to provide assistance across the incident lifecycle.