Every day, cyber criminals are trying to break into your network, and security vulnerabilities make it easier than you probably care to believe. Those security threats and vulnerabilities, and the incidents and cyber breaches that they lead to, affect organizations large and small, across every industry. So, how do you stop it? Well, you’ve got to keep your IR on the ball.
Why a Cyber Incident Response plan is necessary
Is it really necessary to have a Cyber Incident Response plan in place? The answer: YES. Today, more and more organizations are realizing the necessity of having a plan for potential security incidents built into their business strategy, and it’s not a passing phase.
When your organization is breached, three things are at stake: The reputation of your organization, your revenue, and perhaps the most important thing, your customer trust. It’s imperative that any incident—large or small—has a plan in place to mitigate any potential risks. A well-documented IR plan helps organizations respond quickly by:
- Streamlining decisions
- Outlining processes
- Defining use of the technologies available
Even with the myriad of security tools we have at our disposal today, cybercriminals are still able to penetrate our networks. When it comes down to it, networks, software, and end users can only reach a certain level of cyber resilience. Oversights will still happen and mistakes will still be made—we are, after all, only human. What really matters is what you have done on the front end to minimize the impact of a security incident on your organization. That’s why having an IR plan in place—as well as a security team and proper tech—is essential for being able to respond to threats in a quick and professional manner. Speaking of teams…
Build your team
Any good IR plan starts with a strong team behind it. However, it’s not just your security team that makes up the IR plan! The plan should be discussed and created by a cross-functional group of key players from different areas of the business, including security and IT, operations, legal–and oftentimes, HR, and public relations/comms. The reason for this is to ensure that all areas of decision-making are represented, and the best interests of the organization are kept in mind. The team’s goal, as always, is to detect and respond to security incidents in order to minimize impact on the business.
The basic steps of building your team are:
- Build a core technical group.
- Establish cross-functional members.
- Decide whether third-party help is needed.
- Create roles and responsibilities.
Who’s who and core functions
Know that depending on your organization, goals, and people, your team and roles and responsibilities may differ. In fact, if you search, “IR team roles and responsibilities,” you’ll get several different layouts. There are no hard and fast rules regarding who should be involved. Regardless of how a team looks, the goal is the same: to prepare for and address incidents across the organization.
The core group listed below is representative of the people in your organization that maintain direct responsibility for the incident. Note that this is NOT a large team. By maintaining a small team, movements become more agile and you’re able to make decisions faster. Although a small team is not a requirement, it’s a best practice to have a tight and nimble core, and branches to other connections for when stakeholders and additional decision-makers are necessary. Your core group should include:
- Incident Response Manager: Oversees and prioritizes actions. They are the leader of the team, and are responsible for conveying the needs of high-severity incidents to the rest of the team.
- Security Analysts: Work directly with the affected network to research the details of an incident.
- Threat Researchers: Complement security analysts by providing threat intel and context for an incident. They may be required to build and maintain a database of internal threat intelligence.
Why legal, HR, comms, etc.? Why is it important to have representatives from those areas on the IR team? When it comes to incident response, diversity in skills and specialization is exceedingly important. Note that the functional members of this team will differ based on the organization type, as well as business model, technology landscape, and even corporate culture of your organization. The NIST recommends functional members be from the following:
- Human Resources
- IT support
- Management and executives
- Public/media relations
- Physical security and facilities
- Business continuity/disaster recovery
Depending upon your organization, you may want to include others.
The advantage to having both a core team, and a functional team, is that proper representation is present throughout the entirety of the incident. All stakeholders should be looped directly into all phases of your response plan. Communication is key, as it ensures things run smoothly.
More on developing your IR plan in part 3!