7 Ways to Jump-Start Your Incident Response

Egnyte’s recent independent cybersecurity study found that only 64% of organizations had incident response plans. Without such plans, companies are extremely susceptible to potential cyber-attacks, and the stark business reality is that they take much longer to recover. 

Unfortunately, there are daily examples of major data breaches where a particular company’s incident response could have been managed more effectively.

In this first blog in a two-part series, we’ll examine why incident response plans are important for organizations like yours. Then, we’ll explain how your company can jump-start incident response, by creating a plan of your own. 

Why are Incident Response Plans Mission-Critical?

In certain cases, cybersecurity mandates and data privacy regulations such as HIPAA explicitly require the creation of an incident response plan. For example, organizations that want to remain HIPAA compliant are specifically required to develop plans for data backup, business continuity/disaster recovery, and emergency mode operation. 

For all types of organizations, incident response plans help them to recover from incidents more quickly and effectively. Without an effective plan, organizations can experience debilitating attacks that last for days or weeks, rather than having their customers and employees experience temporary outages that last only for hours or minutes. An incident response plan is also likely to be required as a key component of your company’s cyber insurance renewal process. 

Now, let’s examine practical steps you can take to optimize your response and recover more quickly. 

1. Have A Current Incident Response Plan and Keep It Updated 

This recommendation might sound obvious, but if you don’t have a formalized incident response plan, you need to create one now. If you do have a plan but it hasn’t been updated in the past six months, then take immediate action to update it. 

Here are several reasons why you need to do so: 

• It is no longer a matter of if, but when, a cyber-attack might occur. In fact, Anne Neuberger, U.S. deputy security advisor for cyber and emerging technology, said the following about ransomware attacks: "All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.” 
• The average payment in a ransomware attack rose to $570,000 in 2021, and the average attack downtime in Q4 2021 reached 20 days. Can you afford to make ransom payments of that size, or have business productivity hampered for nearly three weeks? 
• Threat vectors are evolving more rapidly—along with cyber-attackers’ techniques—so you need to stay one step ahead of the game. 

You can find an example of an incident response plan template here, and you can tailor it to your company’s unique requirements. 

2. Engage External Legal Counsel When an Attack Occurs 

Engaging external legal counsel as part of your incident response plan can help communications and work product related to the response to be conducted under legal privilege, which gives your company’s response an extra level of confidentiality. If you haven’t already, reach out to your legal counsel for more details about this recommendation. You can also watch Egnyte’s recent webinar “Recovery After a Cyber Attack,” where the topic is discussed in detail. 

3. Involve Your Executive and Corporate Communications Teams 

This is where a lot of companies struggle with their incident response. These days, social media and collaboration platforms like Microsoft Teams and Slack drive corporate communication, and poor social media buzz can have a devastating impact on your organization’s brand. 

You need to make sure there’s a plan for executive management to comment on a timely basis when a potential breach occurs, if necessary. 

Even more importantly, your customers, employees, and business partners need recovery updates on a routine basis. In other words, you don’t want complaints or negative buzz on social media platforms to drive how your company’s response is measured, which could impact customers’ willingness to do business with you in the future. 

4. Practice Your Response Before Incidents Occur

Company executives usually practice for major presentations and prepare diligently for key meetings, but many organizations don’t practice their incident response plans before an incident occurs. Any effective incident response plan requires the use of tabletop exercises, where key stakeholders discuss their roles in response to future incidents, usually moderated by a facilitator or a project sponsor. 

During the exercises, communications strategy, technological planning, and recovery priorities can all be discussed, agreed upon, and fine-tuned. Remember to involve all major organizational functions in your tabletop exercises, since effective response extends well beyond your IT team. 

5. Imagine Life in a Non-Digital World 

Most of us take access to data for granted. Imagine not having convenient access to traditional data repositories and communications platforms that you use on a daily basis. That is what you’ll experience when you undergo a major cyber-incident. 

Maintain a manual listing of key phone numbers and colleagues’ contact information; ideally, everyone should have key colleagues’ contact information saved on their business mobile phones. Isolate important recovery documentation like network diagrams and critical information that’s required in the event of a catastrophic data breach or cyber-incident in a secure data enclave. That enclave should be locked down and restricted to need-to-know company contacts.

6. Examine Your Data Backup and Recovery Policies 

These days, many organizations are exploring snapshot recovery from potential ransomware attacks, insider threat situations, and even user errors. Snapshot recovery allows bulk deleted or encrypted data to be restored from a specific timeframe, with the use of a simple web-based user interface (UI). Essentially, you can recreate your data environment from snapshots that are created on a routine basis, permitting you to recover quickly and maintain business productivity. 

For example, if you believe that a ransomware attack occurred on Sunday at 4 a.m., then you can restore your data environment to how it appeared at 2 a.m. that morning, just prior to the attack. 

In addition to automated snapshot recovery solutions, many data security professionals recommend that you follow a 3-2-1 data backup strategy, which is outlined in Egnyte’s Data Backup Governance Guide. That approach entails keeping three copies of data, utilizing two different storage types, and keeping one copy of your data off-site, so you can recover more rapidly. 

7. Tidy Up Your Data

One of the simplest and least expensive ways to simplify incident response is by making cyber-attacks more challenging for attackers in the first place. This is accomplished by knowing what data you manage and where it’s located, You also need to make sure the right organizational contacts have access to the data on a “business need to know” basis. In addition, reducing content sprawl is one of the most effective ways to reduce your overall attack surface and increase users’ productivity. 

Learn More

In Part 2 of our two-part blog series, we’ll explore key components of an incident response plan.

‍