Among the many topics that battle for risk managers’ attention, cybersecurity incident response planning is one that repeatedly surfaces each year with escalating frequency. Yet surprisingly, according to a 2018 Ponemon Institute study, only 24% of companies have a cybersecurity incident response plan (IRP) implemented consistently across the enterprise. Unquestionably, every company must prioritize capital expenditures, staffing and time across the wide expanse of business priorities. However, IRPs are no longer something that can be put off or addressed casually. The growing stringency of security standards and federal requirements, not to mention the very real possibility of irreparable damage from a breach, make inaction a failing proposition for enterprises of all sizes.
First, let’s look at why most enterprises must have a formal, tested IRP. Most security standards and legislation, including PCI-DSS, HIPAA, HITRUST, FISMA and FedRAMP require them, and frameworks such as NIST include them as core. Should your enterprise sustain a breach, you will likely lose your compliance and potentially be issued stiff fines. Some of these frameworks go the extra step of requiring proof of the appointment of specific designees, training on and testing of the plan, and identification of a process to regularly evaluate and improve the plan. Further, the new Securities and Exchange Commission’s (SEC) updated interpretive guidance, issued earlier this year, requires publicly traded companies to disclose breaches and their significance much more quickly than before, meaning they will have to have a process in place if they are to respond rapidly.
Whether beholden to compliance standards or not, most companies should understand by now that a breach can have devastating impacts. While a larger organization may be able to better withstand the loss of productivity, brand damage and associated costs of legal fees, containment, eradication and brand re-imaging, they make more frequent targets, their attack surface is larger, and they have greater challenges with visibility and control of all threat vectors. Small companies tend to lack IT staffing and funds, and while they are less likely to be a target, they lack the redundancy and resiliency to recover from an attack. Mid-sized organizations may have better visibility and some technical staffing, but they offer value to attackers and limited ability to recover. IRPs can and should be tailored to the size and needs of the business.
Just having an IRP is not sufficient. These plans exist to protect the business from the very real threat and consequences of a cyberattack; assuring the plan is robust enough to do the job is critical. All organizations should also consider cyber insurance—however, many risk insurance underwriters require an IRP, and offer reduced policy rates if the IRP is more rigorous.
A complete IRP contains many technical and non-technical elements, and even many large enterprises lean on third-party experts for elements of execution, such as incident forensics, eradication and remediation. The recommended elements of an IRP include:
- Preparation: Includes defining the incident response team, their roles and responsibilities, defining incidents, their associated impacts, how to limit those impacts, and recovery strategies. The organization must determine if they have the forensic capabilities to investigate incidents.
- Detection/analysis: Includes defining internal and external attack vectors and their sources, establishing baselines for expected system and user behavior, and then categorizing/prioritizing incidents by type and impact. It also includes establishing who on the incident response team gets notified and when. The organization can then determine if or when to begin forensics.
- Containment, eradication and recovery: Following detection and analysis, companies can decide on containment, eradication and recovery activities. Understanding the organization’s risk tolerance is key as this lays the foundation for defining containment strategies.
- Post-incident activity: Includes documenting efforts taken to respond and recover from the incident (establishment of benchmarks, or baselines for assessing performance in response activities), determining what evidence should be retained, for how long and where, and concluding which effective strategies should be incorporated and documented into the plan.
The IRP presupposes that the organization has either in-house or third-party capabilities to monitor for, detect and alert the organization to threats (a mature cybersecurity capability), as well as contain, eradicate and recover from them. Many organizations do not, and they can employ third party experts to help them not only create an IRP but play crucial roles in their plans.
Testing the plan against multiple potential scenarios (starting with table-top exercises) is critical to ensuring it will serve your actual needs in an event. Reviewing it periodically and updating it, not only for your enterprise’s evolving environment but also the changing regulatory landscape, is important. The updated SEC guidance is a good example of why this is necessary; companies will need to assure they have a workflow to immediately communicate internally to halt stock trading and provide external disclosure more rapidly and with a greater level of specificity than ever before.