Developing a Cyber Incident Response Plan for Small and Midsize Business
Regardless of all the measures and controls businesses have in place to help manage their IT risk, businesses are quickly learning that it’s not a matter of if they will be dealing with a cyber attack, but when.
Organizations commonly plan for possible scenarios. A fire plan is a perfect example. The likelihood of a business dealing with a cyberattack has become one of the most likely scenarios a business will deal with, so it’s important for businesses to prepare for this exact crisis.
ourCIO serves as executive level technology leaders and digital advisors for small and midsize businesses (SMEs). Building a Cyber Incident Response Plan (IR Plan) often seems overwhelming to SMEs so lots of businesses simply neglect to get started on building one. These same businesses find themselves devastated by a cyber incident and absolutely lost on what todo. Critical systems are down, access to important data is lost, operations halt, income is impacted, and they burn valuable cycles trying to figure out where to begin.
A Cyber IR plan is unique to the specifics of an organization. It can also be right sized to the organization. In other words ,it does not need to be elaborate, but it needs to provide you with the foundation to successfully respond and recover from a cyber attack. It needs to provide you with the steps to survive.
A small and midsize businesses Cyber IR Plan should identify the following:
1. Those within the organization who will be involved in the response. This is often referred to as the Incident Response Team(IR Team). The members of the IR Team need to know what they are responsible for. The roles and responsibilities of each member should be identified and defined within the plan. The plan should revolve around this team meeting regularly, discussing important items and making joint decisions, and taking these decisions and activities away and executing on them. Roles will be unique to an organization, but it’s common to have a Team Lead, a Backup Team Lead, a Technical Lead, a Communication Lead, a Financial Officer, a Privacy Offer and Legal Counsel identified.
2. An IR Plan should also identify key stakeholders and partners, and their contact information. This list will also be unique to every organization. A key partner may include 3rd party IT services or Incident Response services.
3. If a business has a cyber insurance policy, it is important to include those details in the plan too. Businesses need to identify when they need to notify their cyber insurance provider. Several policies include access to response services such as breach counsel, incident response teams, forensics teams and more. A policy may expect that they are engaged early, and may require a business engage services through the policy and not their own. This is valuable to have sorted out ahead of an incident.
4. A crucial piece to a Cyber IR plan are the specific plans for key functions. We refer to these as workstreams. Preparing workstreams is also unique to every organization, but having a planned Technology workstream, Communication workstream and Business Continuity workstream are a given, and also likely is the need for Legal & Compliance workstream.
The graphic at the top of this article highlights the key components of a Cyber Incident Response Plan and details related to common workstreams for SMEs. A downloadable reference card can be accessed here.
People, processes and technology are constantly changing in businesses, so organizations also need to develop an appreciation that their Cyber IR plan will become obsolete if it is not maintained. Plans should be routinely reviewed and updated. For most SMEs, this can be conducted annually.
The most important step organizations can take after creating a plan, is to test it. Test it to make sure the plan covers important activities. Also test as a tool to prepare staff for going through a real cyber incident. Running a tabletop exercise that includes the IR Team and representation from all functions within a business is important. Some level of participation with key 3rd parties may help better prepare for the day a real cyber incident transpires as well. These are mock exercises and don’t require disrupting business activities. For most SMEs, it’s a strong consideration to run these exercises annually, which can often align with the annual review and refresh of the IR plan.
If you are concerned your business may fall short of having an appropriate and valuable Cyber Incident Response plan in place, or any other cybersecurity measures and controls to help manage your IT risk, you can access an executive level IT leader and digital advisor to help you understand this better.