Data breaches are on the rise, so it is a good idea to develop an incident response plan in case your business becomes the next victim. Here are seven best practices to follow when creating and using an incident response plan.
The news is not good — 2017 is the worst year ever for data breaches, according to security researchers. In the first nine months of 2017, over 3,800 breaches were reported, resulting in more than 7 billion records being exposed. And there is no indication that the record pace of data breaches is going to slow down.
Because data breaches are becoming common, it is a good idea to develop an incident response plan in case your business falls victim to one. Organizations use incident response plans to document the steps they will follow in the event of a data breach or another type of data security threat. The steps vary depending on the type and severity of the threat, but they often include initial containment, threat elimination, recovery, incident notification, and post-incident review.
Here are seven best practices to follow when creating and using an incident response plan:
Identify the Data That Is Most Important to Protect
Most small and midsized businesses use and store a lot of data, but they have limited resources to protect it. If that is the case at your company, it is important to take stock of your data before developing an incident response plan. You should identify which data is critical to your business operations (e.g., sales databases) and which data contains personal information (e.g., payroll records). With this knowledge, you will know which data needs the most protection in the event a data breach.
Make the Plan Easy to Implement
Your incident response plan needs to be easy to implement if a data breach occurs. Thus, it needs to include specific procedures to follow rather than general directives. According to the Cybersecurity Unit at the U.S. Department of Justice, the procedures should, at the minimum, address the following items:
- Who is largely responsible for each step (e.g., initial containment, threat elimination, recovery) in the incident response plan and how to contact them, day or night
- How to proceed if those individuals are unreachable, including who will serve as their backup and how to reach them
- Which data needs the greatest protection (i.e., mission-critical data and data containing personal information)
- How to preserve data related to the breach in a forensically sound manner
- What criteria to use to determine who should be notified about the data breach (e.g., affected customers, the general public)
- When and how to notify law enforcement and cyber-incident reporting organizations
Do Not Reinvent the Wheel
You do not have to create your incident response plan from scratch. These documents have been around for years, so there are many resources available that can help you create your plan.
For example, the Incident Response Policies and Plans resources page on the Incident Response Consortium website provides free guides you can download. Similarly, the American Institute of Certified Public Accountants (AICPA) has a free incident response plan template you can download and adapt for use in your company. You can find this very detailed incident response plan by going to the AICPA website and searching for "incident response plan".
Make Sure the Incident Response Plan Aligns with Other Plans and Policies
Some of the material in your incident response plan will likely overlap with the information in other plans. For example, how you intend to recover from a data breach will also be discussed in your disaster recovery plan. As a result, you need to make sure the information in both plans align with each other.
Similarly, you should review IT and other company policies (e.g., incident reporting policy) to make sure they align with the incident response plan. During this review, you might even want to make sure that you have policies in place that will help prevent data breaches. For instance, some data breaches are instigated by former employees. To help prevent such breaches, you might want to have a policy that requires IT or HR staff to deprovision former employees’ user accounts and group memberships immediately after they leave.
Test and Update the Incident Response Plan
It is important to initially test the incident response plan to discover any problems, such as missing steps or incorrect phone numbers. One way to do this is to hold a data breach drill, much like you would hold a fire drill. You might also consider conducting these drills periodically to help identify needed updates to the plan. These drills will also allow your staff to learn and practice the process, which will lead to a faster response time in the event of an actual breach.
At the very least, you should review your incident response plan once a year to make sure it is up-to-date. If changes are made to it, you will need to share those changes with the appropriate staff.
Stay Calm and Follow the Plan If a Breach Occurs
Discovering and dealing with an actual data breach can be stressful and even frightening. If one occurs at your company, remain calm and follow the incident response plan. You took the time to create and test the plan, so let it guide you through the steps that need to be performed.
Do Not Fix and Forget
After you have fixed all the problems caused by a data breach, you might want to forget about the whole ordeal and get back to your normal routine. You need to resist this urge. It is important to:
- Continue monitoring your systems for any suspicious activity to make sure the intruder has not returned
- Be on the lookout for any new incidents
- Conduct a post-incident review to identify any problems encountered when executing the incident response plan
Help Is Available If Needed
Developing and testing an incident response plan can be a daunting task, given the importance and complexity of this document. If you do not have the resources or expertise to create an incident response plan on your own, consider getting help. We can guide you through the process and make sure that you have an actionable plan you can use if your business becomes a data breach victim.