
7 Ways to Jump-Start Your Incident Response
Recent research indicates that only 25% of organizations have incident response plans. Without such plans, companies are extremely susceptible to potential cyberattacks, and the stark business reality is that they take much longer to recover.
Unfortunately, there are daily examples of major data breaches where a particular company’s incident response could have been managed more effectively.
In this first blog in a two-part series, we’ll examine why incident response plans are important for organizations like yours. Then, we’ll explain how your company can jump-start incident response by creating a plan of your own.
Why are Incident Response Plans Mission-Critical?
In certain cases, cybersecurity mandates and data privacy regulations such as HIPAA explicitly require the creation of an incident response plan. For example, organizations that want to remain HIPAA compliant are specifically required to develop plans for data backup, business continuity/disaster recovery, and emergency mode operation.
For all types of organizations, incident response plans help them to recover from incidents more quickly and effectively. Without an effective plan, organizations can experience debilitating attacks that last for days or weeks, rather than having their customers and users experience temporary outages that last for hours or minutes. An incident response plan is also likely to be required as a key component of your company’s cyber insurance renewal process.
Now, let’s examine practical steps you can take to optimize your response and recover more quickly.
1. Have A Current Incident Response Plan and Keep It Updated
This recommendation might sound obvious, but if you don’t have a formalized incident response plan, you need to create one now. If you do have a plan but it hasn’t been updated in the past six months, then take immediate action to update it.
Here are several reasons why you need to do so:
- It is no longer a matter of if, but when, a cyber-attack might occur. In fact, Anne Neuberger, U.S. deputy security advisor for cyber and emerging technology, said the following about ransomware attacks: "All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.”
- In 2024, annual global ransomware payments totaled more than $800 million, while average attack downtime reached 17 days for medical organizations and 28 days for public entities. Can you afford to make sizable ransom payments, or have business productivity hampered for three weeks or more?
- Threat vectors are evolving more rapidly—along with cyber-attackers’ techniques—so you need to stay one step ahead of the game.
You can find an example of an incident response plan template here, and you can tailor it to your company’s unique requirements.
2. Engage External Legal Counsel When an Attack Occurs
Engaging external legal counsel as part of your incident response plan can help ensure that communications and work product related to the response are conducted under legal privilege, which gives your company’s response an extra level of confidentiality. If you haven’t already, reach out to your legal counsel for more details about this recommendation, so you can engage legal contacts appropriately the next time an incident occurs.
3. Involve Your Executive and Corporate Communications Teams
This is where a lot of companies struggle with their incident response. These days, social media and collaboration platforms like Microsoft Teams and Slack drive corporate communication, and poor social media buzz can have a devastating impact on your organization’s brand.
You need to make sure there’s a plan for executive management to comment on a timely basis when a potential breach occurs, if necessary.
Even more importantly, your customers, employees, and business partners need recovery updates on a routine basis. In other words, you don’t want complaints or negative buzz on social media platforms to drive how your company’s response is measured, which could impact customers’ willingness to do business with you in the future.
4. Practice Your Response Before Incidents Occur
Company executives usually practice for major presentations and prepare diligently for key meetings, but many organizations don’t practice their incident response plans before an incident occurs. Any effective incident response plan requires the use of tabletop exercises, where key stakeholders discuss their roles in response to future incidents, usually moderated by a facilitator or a project sponsor.
During the exercises, communications strategy, technological planning, and recovery priorities can all be discussed, agreed upon, and fine-tuned. Remember to involve all major organizational functions in your tabletop exercises, since effective response extends well beyond your IT team.
5. Imagine Life in a Non-Digital World
Most of us take access to data for granted. Imagine not having convenient access to traditional data repositories and communications platforms that you use on a daily basis. That is what you’ll experience when you encounter a major cyber-incident.
Maintain a manual listing of key phone numbers and colleagues’ contact information; ideally, everyone should have key colleagues’ contact information saved on their business mobile phones. Isolate important recovery documentation like network diagrams and critical information that’s required in the event of a catastrophic data breach or cyber-incident in a secure data enclave. That enclave should be locked down and restricted to need-to-know company contacts.
6. Examine Your Data Backup and Recovery Policies
These days, many organizations are exploring snapshot recovery from potential ransomware attacks, insider threat situations, and even user errors. Snapshot recovery allows bulk deleted or encrypted data to be restored from a specific timeframe, by using a simple web-based user interface (UI). Essentially, you can recreate your data environment from snapshots that are created on a routine basis, permitting you to recover quickly and maintain business productivity.
For example, if you believe that a ransomware attack occurred on Sunday, June 29, at 4 a.m., then you can restore your data environment to how it appeared at 2 a.m. on the 29th, just prior to the attack.
In addition to automated snapshot recovery solutions, many data security professionals recommend that you follow a 3-2-1 data backup strategy, which is outlined in Egnyte’s Data Backup Governance Guide. That approach entails keeping three copies of data, utilizing two different storage types, and keeping one copy of your data off-site, so you can recover more rapidly.
7. Tidy Up Your Data
One of the simplest and least expensive ways to simplify incident response is by making cyberattacks more challenging for attackers in the first place. This is accomplished by knowing what data you manage and where it’s located. You also need to make sure the right organizational contacts have access to the data on a “business need to know” basis. In addition, addressing content sprawl is one of the most effective ways to reduce your overall attack surface and increase users’ productivity.
Learn More
In Part 2 of our two-part blog series, we’ll explore key components of an incident response plan.