Cyber Incident Response: How to Be Prepared, Ready and Able
By Tim Marlin
Every business that uses the Internet is vulnerable to cyber crime. You may have taken every conceivable step to secure your network and determined cyber criminals will still find a way in. That’s why an incident response plan (IRP) is a critical component of your cyber security tool kit. When the inevitable occurs, an IRP helps you and your team respond quickly and effectively to contain the damage and minimize the costs. It could literally save your business.
But an IRP by itself is not enough. In order to do what it’s intended to do, an IRP needs to be a living document with procedures that are tested and put into practice before your business falls victim to an attack.
Begin With a Solid IRP
Your IRP must be tailored to the cyber risks your business faces. Include procedures in sufficient detail to guide the activities of your team for each of the following steps:
- Preparation – Identifying internal employees and outside vendor services who will handle potential incidents and preparing them for their role in incident response
- Detection – Monitoring the network and differentiating between minor events and major incidents with appropriate escalation processes
- Containment – Isolating the infected devices and analyzing the cause of the infection
- Recovery – Eradicating the cause of the infection (such as by blocking malicious IP addresses, changing passwords, patching holes and fixing vulnerabilities) and putting the network back into production while complying with regulatory requirements and protecting the company’s brand
- Post incident review – Lessons learned about the cause of the incident and its costs as well as remedial actions to improve security to avoid future incidents.
If you have cyber insurance coverage, work with your insurance carrier to ensure your IRP meets any procedural requirements for your policy.
Put Your IRP Into Practice
Once you have an IRP in place, your next steps are to maintain it as an integral part of your business operation. These steps taken on a routine basis will help your team be prepared and able to respond when a cyber event strikes:
- Review. Review your IRP with the response team at least annually. Verify that it is up to date with the names of all team members and their contact information. Validate all policies and processes to ensure they align with the current state of your organization and its best practices. Also keep pace with new threats arising in the world of cyber and update your procedures as required to provide an adequate response to incidents.
- Train: A well-implemented plan depends upon a well-trained team. Make sure everyone on your team understands the IRP policies and procedures and has in-depth knowledge of their specific responsibilities. Conduct reviews and retraining on an annual basis and when plan revisions are made; offer special training sessions as newcomers are recruited to the team. Also keep your entire staff aware of data security practices such as how to detect malware and spot and report signs of a data breach.
- Practice: Every six to 12 months, put your IRP to the test. This cyber equivalent of a fire drill is critical to ensuring that your plan is effective and that your team is armed with the experience needed to put it into action. You will also come away with a better understanding of where improvements can be made.
For each practice session:
- Begin by creating a series of exercises that simulate cyber crime conditions your business might actually experience.
- Require the participation of every member of the response team, including internal staff and outside vendors.
- Set the stage. This should not be a comfortable walkthrough; rather, it must simulate the pressure of an actual breach scenario. Enlist an outside facilitator (such as a law firm) or dedicated security staff member to keep participants in action and on their feet.
- Using your various exercises, test your plan’s every procedure from detection and containment to remediation and recovery.
- Evaluate results and lessons learned, and identify specific improvements to the plan. Larger firms may be able to take advantage of “table-top exercises” offered through their insurance carrier for the testing of vendor services, such as attorneys, forensics firms and call centers. Contact your broker to see if these services are available to your business.
Update: Keep your plan up to date with drill results and any other refinements identified in your review process. Remember to always share any changes with your insurance carrier to ensure that any requirements for coverage are met. If you should change insurers, make sure your process aligns with your new policy.
Role of Insurance
If your business experiences a data breach, your cyber insurance policy may effectively serve as an IRP even if you have nothing else in place. While coverage varies, many carriers provide guidance on what to do after an event and offer access to experienced breach partners who can assist you in meeting your obligations to regulators and customers. Risk management services may also be available to help reduce the likelihood of breach in the first place.
About the Author
Tim Marlin is head of cyber underwriting for The Hartford. He has over 15 years of cyber, technology errors and omissions, professional, and management liability insurance.
Any product described in this document may be offered by one or more of the property and casualty insurance company subsidiaries of The Hartford Financial Services Group, Inc. All products may not be available in all states or to all businesses. Certain products may be provided on a surplus lines basis and require the use of a surplus lines broker. Surplus lines policies are generally not protected by state guaranty funds.
The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries.