Incident Response Plans

I’m sure you’ve heard the saying, “Hope for the best, but expect the worst.” I’d like to offer the IT incident response version, “Hope for the best, but plan for the worst.”

Unfortunately, examples of the worst are all around us: patient data stolen from healthcare organizations, customer data stolen from large corporations, social security numbers stolen from the federal government, and even client details stolen from an adultery website. Hackers aren’t just looking for information they can sell; they want embarrassing data, corporate strategy, product research or other sensitive data. Any company using the internet is at risk.

Whatever the threat, however, organizations must devise and deploy the most effective incident response program possible. We must ensure that our organizations are able to handle breaches quickly and effectively, limiting the damage and, hopefully, identifying the intruder.

Incident response plans should include the following steps:

Identify and Document the Breach
Identifying a breach may sound too basic to be mentioned. After all, wouldn’t you know when a breach has occurred? You’d be surprised at how many companies have had software in place to detect breaches but have failed to act when the alert went off. Hackers can siphon targeted data in seconds, but they also can stay in your system for weeks to mine as much data as possible.

As soon as you know someone has breached your security, you should determine the exact nature of the attack and what data was targeted. Designate a person to document the initial assessment:  a timeline of events, who noticed what, where the attack originated, what data was breached, which processes and connections were running in the system, and anything else that occurred during the breach. He or she should be as detailed as possible.

Mitigate the Damage of an Attack
Effectively mitigating the damage is possible if you’ve planned thoughtfully before an attack occurs. You need to have an up-to-date system backup that can be restored at a moment’s notice. A clean backup ensures that whatever the attacker has unleashed in your system can be stopped quickly because the compromised portions of your system can be shut down and completely restored. During this process, no one should send any communication through the system until it is once again secure. A secondary communication system should be devised for use during this timeframe.

Diagnose the Source
After you have identified the attack, documented the specifics, and mitigated the damage, a security professional can diagnose the source of the attack. With this information, you can quickly identify who should be notified and what information should be shared.

Notify Appropriate Individuals
Every organization will approach notification in its own way, but having a communications plan in place is a practical first step. The plan should specify which staff members are responsible for notifying law enforcement, other individuals in the company, and anyone affected outside the company. This is obviously a decision that does not need to be made in haste during an attack. Key members of the response team should be accessible, even when systems are down, so you should create clear lines of communication before an incident occurs. A thoughtful, comprehensive plan can make this process effective and extremely beneficial for everyone involved, particularly if customers are involved.

Correct the Flaws in the Syste
To ensure that similar breaches don’t occur in the future, you must correct the underlying flaws in your system. Start an extensive review of the breach as soon as the event is over. The review should identify the strengths and weaknesses of your system so that you can make necessary adjustments and plan against future attacks.

The review, however, should not include just the details of the breach. How well the incident response plan worked should also be included. A review of the staff’s response can improve the effectiveness of the current plan and can provide feedback for updating the plan. Keep in mind that the faster the response, the less ground intruders can cover before they are identified and shut down.

Silver Linings
Although no one wants a security breach, the silver lining is that organizations can learn many positive lessons from a breach resulting in fewer problems in the future. My best advice, however, is to make it as difficult as possible for someone to breach your security and to develop a comprehensive plan of action if they do. But don’t stop there. Educate your staff members about the importance of their roles in preventing security breaches, as well as their roles and responsibilities if the worst happens.

For weekly insights into enterprise complexity, please sign up here: