From 2021 to 2023 there was a 72% increase in the amount of data breaches. With an increase in breaches of that magnitude, you would think that organizations would implement ways to prevent them from happening sooner rather than later.

Although not a method of front-end breach prevention, incident response plans are a key component that organizations need in case they fall victim.

They coincide with the mentality that many cybersecurity experts share that it’s not a matter of IF your organization falls victim to a breach, it’s a matter of WHEN.

Yet only 45% of companies have an incident response plan in place.

That statistic points out a huge problem. Here’s why. As I just mentioned, most cybersecurity experts expect that every organization will experience a breach at some point in the future. If their expectations are true, how are the majority of organizations going to know how to respond?

Simply put, they’re not. And even if they did, it wouldn’t be as organized as it needs to be.

If your organization falls within the majority that we’re discussing. That’s OK. By reading this blog post it tells me that you’re already making huge strides in bettering your organization’s cybersecurity environment.

So, let’s go through incident response in full from what it is to the 7 key steps that make up a thorough plan.

• What is an Incident Response Plan?

• Why you need an Incident Response Plan

  • Reason 1: Preparation for the Unknown

  • Reason 2: Continuous Improvement

  • Reason 3: Gap Exposure

  • Reason 4: Proper Identification

  • Reason 5: Compliant with Requirements

  • Reason 6: Cost Reduction

• 7 Key Steps of Incident Response

  • Step 1: Preparation

  • Step 2: Identification

  • Step 3: Containment

  • Step 4: Eradication

  • Step 5: Recovery

  • Step 6: Documentation

  • Step 7: Lessons Learned

• Conclusion

To understand the steps involved in Incident Response, we first need to understand what Incident Response is.

An incident response plan is a comprehensive document that outlines the procedures an organization follows when responding to a security incident.

Security incidents may include…

• Data breaches

• Cyber-attacks

• Other unauthorized activities that pose a threat to the organization's information systems

But once this plan exists, you can’t just set it and forget it. You’ll need to review it on an annual basis to maintain its accuracy and relevance. After all, The IT landscape changes all of the time.

There are many reasons why you and your organization need a formally drafted incident response plan. I hinted at a few during the introduction of this blog post, but going through and listing the individual reasons in more detail is important to know.

Let’s work through 6 of the main reasons…

I get that there’s a lot of worry about today's corporate world and cybersecurity might seem like MORE work to do.

Yet, there is so much at stake when it comes to breaches. Think about what would happen if a hacker gets into your system and gets their hands on your client’s data. How would that impact the relationships you’ve built over the years? I don’t think your clients would ever view you in the same positive light as they do right now.

An incident response plan helps you prepare for unforeseen cyber events with confidence. Yes, it’s a backend plan that exists to provide you with prepared steps to take AFTER a breach. Yet, you can build in communicative steps to affected clients so that you’re not destroying your reputation with them.

It’s no surprise that the first time we attempt something new, we are often bad at it.

Over time we can become more efficient on that task.

Again, by reading this blog post you’re already taking your first steps toward not only creating an incident response plan but also working towards continuous improvement.

Once your first crack at your organization’s incident response plan is in place, you’ll then continuously improve it over time.

The first step anyone takes in researching any new project starts with Googling. I’d wager to bet that you got to this blog post by finding it on Google. I also bet that after you’ve finished reading this post you’re going to Google “Incident Response Plan Template” as the next step in your research process.

None of what I just said was to shame you. I would do the same thing. You’re making the right research steps. 

The point I’m trying to make with all of this is that you’re going to come across an incident response plan template that has a ton of questions and information about things you know nothing about within your organization. That’s not so much of a problem as it is an opportunity.

The creation process of your incident response plan will naturally help you identify gaps where your organization’s cybersecurity ecosystem might be. Thus enabling you to make improvements and minimize the risk of an incident occurring.

In the event of a cyber-attack, one of the first things to do is to let the right people know.

You’re likely required by law to send out some form of breach notification. I know for certain that if you’re in the healthcare space you’re required to by HIPAA.

Adopting an Incident Response plan forces you to establish an incident response team, consisting of proper contact information and defined roles.

This, in turn, allows workforce members outside of the team to contact the right person at the right time.

There are many regulatory frameworks and industry standards that strongly recommend organizations to establish and maintain an incident response plan.

These frameworks include the likes of…

• HIPAA

• PCI-DSS

• NIST

• ISO/IEC 27001

• GDPR 

Adopting an incident response plan will ensure compliance for those sections of the framework.

Incidents can be expensive. I can’t just say that without backing it up! Take a look at some of the most expensive data breaches…

1. Epsilon: $4 billion

2. Veterans Administration: $500 million

3. Hannaford Bros: $252 million

4. Sony PlayStation: $171 million

5. Target: $162 million

The costs associated with a breach have a lot to do with the size of your organization. However, the largest cost factor associated with breaches oftentimes has to do with the effort it takes the organization’s employees to correct.

Having a well-thought-out incident response plan heavily reduces the cost associated with downtime. It provides a pre-built and anticipatory step-by-step guide for every department within an organization to work towards fixing a breach.

This potentially saves you and your organization thousands of dollars!

Now that you know what an Incident Response Plan is and why your organization needs one, let’s dive into the 7 key steps.

The steps outlined in this list are a broad overview of necessary actions to take in response to an incident. You should incorporate each step into your organization’s incident response plan. I also imagine that the steps listed here aren’t the only steps you’ll need either since every organization runs a little bit differently.

However, these steps will set you up with a nice foundation.

The first step is the building block of creating an incident response plan.

In this step, you start by establishing the roles and responsibilities of the incident response team to follow.

I know what you’re thinking, “What are the roles that I need to establish?”

Here’s a detailed breakdown of the roles and responsibilities for each member of an incident response team…

• Incident Response Managers: Oversees the entire incident response process, coordinates the team's activities, and communicates with key stakeholders.

• Security Analysts: Monitors and analyzes security alerts to detect and prioritize incidents, maintaining detailed incident logs.

• Tech Leads: Secures and examines digital evidence to determine the cause and impact of security breaches, producing detailed investigative reports.

• Legal Advisor: Ensures compliance with legal standards during incident response, manages legal risks, and liaises with law enforcement.

• Communications Coordinator: Manages all internal and external communications related to incidents, maintaining public trust and organizational integrity.

• IT Specialist: Provides technical support to mitigate incidents, manages system recoveries, and applies necessary security updates and patches.

Each role is crucial for the effective management of security incidents, ensuring quick recovery, minimizing damage, and preventing future threats. This structured approach to incident response not only mitigates the impacts of security incidents but also strengthens the overall security posture of the organization.

The organization should also gather a list of all of its IT and Network assets and analyze them for possible vulnerabilities.

During the identification step, you must monitor your systems to identify anything unusual. Gather evidence such as logs to build a repository of ‘normal’ behavior for your systems.

This will allow for easier identification of a possible incident and for you to become more familiar with their system functions.

This step exists as both a preventative and a detection step. By creating a consistent monitoring schedule, you and your organization will be able to identify any discrepancies quickly. Imagine how long it would take you to identify if an incident occurred if you didn’t look for discrepancies.

Not having an identification step in place is likely the reason why it takes an average of 277 days for businesses to notice a breach of their systems.

If an incident occurs, what should an organization do?

One of the first steps after identifying an incident, other than sounding the alarm to your incident response team, is to contain the attack.

This will help prevent further damage to your systems and prevent additional loss and unauthorized access.

Here are some example steps for incident containment…

1. Initial Containment: Quickly isolate affected systems and secure critical assets to prevent further spread of the breach.

2. System Backup: Back up affected systems and data immediately to preserve evidence and ensure the integrity of the backups.

3. Implement Short-term Fixes: Apply necessary patches and change compromised credentials to mitigate the vulnerability temporarily.

4. Strengthen Defenses: Enhance security measures and increase monitoring to detect and prevent additional incidents.

5. Long-term Containment Strategy: Develop redundancy plans and prepare for a thorough recovery, ensuring the threat is fully contained and understood.

While containing the attack, you should also be examining the scope of the incident to determine the extent of the affected systems.

Once you’ve contained the attack and further analyzed the root cause of the incident, it’s time to eradicate it.

It’s important to mention that the eradication steps you implement will depend on the type of attack that occurred.

But, some key tips for this step are…

1. Identify the Root Cause: Determine the exact cause of the breach, such as specific vulnerabilities or compromised accounts, to ensure an understanding of all sources of the incident.

2. Remove Malware and Fix Vulnerabilities: Eliminate any malware found and patch vulnerabilities to prevent the incident from recurring.

3. Update Security Policies and Tools: Revise security policies, update software, and strengthen security tools based on the insights gained from the incident.

4. Secure Network Boundaries: Reinforce network boundaries by enhancing firewall and network segmentation strategies to secure the environment.

5. Validate System Cleanliness: Conduct comprehensive scans and tests to confirm that all threats are fully removed and systems are secure state.

These steps outline the eradication process, aiming to thoroughly remove any traces of the incident and fortify the system against future breaches.

Phew! You’ve fended off the attack and patched the exploited vulnerabilities, what happens next?

Well, after a short moment of being happy that your organization implemented an incident response plan, it’s time to recover any lost data.

During this step, you should focus on restoring your systems and databases to their ‘normal’ operations.

Doing so won’t be as hard since in Step 2 the organization has gathered a repository of ‘normal’ system behavior. This will streamline the recovery phase.

Your organization has just finished the recovery process and ensured that all systems function properly. Some might think that now would be a good time to pack up shop and head home, but there’s still work to do.

Maintaining a detailed record of the incident will enable you to go back and review what worked, and what didn’t, and preventative steps for the future.

Documenting the actions taken during the incident response process is also crucial for legal purposes. It also helps with any internal audits that take place after.

Think of this step as watching a film after a game or performance.

After completing the bulk of the incident response steps, there’s still one more thing left to do to keep improving the plan.

You should conduct a post-incident review to analyze all of the steps taken during the incident to see what worked and what didn’t.

At a minimum, this step should include hosting a meeting with upper management and talking through the data that you collected during the Documentation step. Based on the data collected, you should be able to talk through what worked and what didn’t.

After collaborating with management, you’ll likely identify some gaps in the incident response plan that you executed during the breach that occurred. That’s a good thing! You should fill in the gaps with better processes so that your updated incident response plan is that much more bulletproof.

An incident response plan is crucial for effectively responding to cybersecurity incidents.

These plans enable an organization to…

• Prepare for the unknown

• Continuously improve its security posture

• Expose gaps within their organization

• Allow for a team to be properly identified for handling the response to an incident

The law doesn’t require upholding and maintaining an incident response plan. Yet, having one in place is a best practice for managing and mitigating the impact of security incidents.

It also helps keep you informed about the specific regulations that are relevant to your industry and geographic location as these requirements can evolve.

Incidents are expensive. Don’t let the reason that your company lost thousands of dollars be not an incident response plan in place. There are many templates and resources out there that can help with the creation and implementation of said plan.

An incident response plan with sound steps in place helps your organization become more resilient and establish a sound cybersecurity environment within your workforce.