Opinions expressed in AGB blogs are those of the authors and not necessarily those of the institutions that employ them or of AGB.
Despite every best effort to defend your organization against cyber attacks, a security professional knows that their job is never done and that no cyber defense solution is 100 percent foolproof. Therefore, it is essential to have a comprehensive cybersecurity incident response plan in place to define the proper strategy and operational execution for an efficient organizational response. Whether you are just beginning, or you already have a plan in place, consider the following three recommendations to further strengthen your response strategy.
1. Develop a centralized plan.
There are many roles in an organizational structure that come together to respond to a cyber incident. Often, organizations develop a plan for the IT department but may not consider executive roles. Other organizations may leave different groups to their own plans and not define a common set of standards or a reporting structure. An efficient organizational response requires definition of a centralized incident response structure that includes all roles necessary, from the board level on down, to respond to a cyber incident. Once the structure is defined, additional consideration should be given to establishing response standards with centralized communications for coordination within an established chain of command. Neglecting to define a centralized plan may result in a disjointed response during an actual incident, leading to increased loss costs; inconsistent and potentially late stakeholder, client, and regulatory communications; and negative reputational impact.
2. Inventory your systems and data.
Also critical to incident response planning is having a full understanding of your environment. Your incident response plan should include a process to regularly inventory all systems and data within the environment, including maps and flow of data. Systems should then be classified according to their importance and potential impact to the organization. Then, within your plan, classify incident severities and enhance decision points based on criticality of assets affected. Consideration should also be given to alternatives for maintaining critical business processes during an incident. Without a detailed view of systems and data, your organization may face increased costs and delays when it comes to incident response efforts.
3. Practice regularly.
Athletes who perform their best have practiced to the point that their actions are almost automatic, requiring little thought. Likewise, organizations that are the most resilient are those that have practiced to the point that their response strategy is fine-tuned. Tabletop exercises are the method of practice that helps an organization reach increased levels of proficiency. Your incident response strategy should include, at a minimum, annual tabletop exercises that include meaningful participation of all relevant roles defined within your plan. A recent study by the Ponemon Institute states, “Organizations…who have formed incident response (IR) teams and tested their incident response plans saw an average total cost of a data breach that was $2.46 million less than organizations that experienced a breach without an IR team or a tested IR plan.”
Cyber insurance carriers know the importance of a tried-and-tested incident response. When evaluating your organizational risk, your carrier will want to understand if you have a plan and have appropriately tested it recently. If you are just starting out, your carrier may provide support and resources to help develop a plan.
Daniel Wilson is a cyber risk advisor, North America, at AIG, an AGB sustaining partner.