There’s a lot of noise in the market about Security Incident Response Planning. It’s increasingly on the Board’s agenda for the CISO’s as a strategic imperative and as the tactical solution to manage and mitigate cyber risk.
It’s a critical time in cyber security, where breaches, simple or complex, are impacting every day Australians, putting organisations, brands, customers and their data assets at risk of exploitation and attack.
This heightened state of panic is driving leaders towards insurance companies, as a way of attempting to secure and cover the financial impact of a successful malicious cyber attack.
When the insurer needs assurance of clearly documented and road-tested processes and protocols, they may ask for a Security Incident Response Plan to demonstrate well considered strategies, teams and tactics to prepare, detect, remediate, recover and learn from cyber incidents in a structured way.
What should a Cyber Incident Response Plan include?
Your plan should be a detailed set of tools and procedures to ensure an effective and prompt response in the event of an attack or breach. It also needs to be aligned to and support other emergency response and Business Continuity Plans across your organisation.
If you already have plans in place, it’s time to review them. Engage a team to understand, craft, review, test, adjust and re-test all plans to ensure stakeholders are equipped and able to meet legal and regulatory obligations. And be ready to execute accordingly.
There’s a great template available via the Australian Cyber Security Centre (ACSC) which should help you to start the thinking. And it’s always worth talking to an expert to craft a plan which works for the people, tools and resources you have at your disposal.
Understand your threat landscape
Take the time to analyse and understand the common threat vectors for your industry.
- Talk to industry peers and research industry trends to anticipate future threats and changes in the landscape.
- Undertake a retrospective of historical data across your organisation to observe changes in threats and risks.
- Determine and rate the highest risks for your operation – is it malicious? Insider threats? Phishing? Ransomware? Data breach? Or something else?
Define your stakeholder and technical leads
Build your ‘A’ Team of people and allocate roles and responsibilities – and don’t forget to communicate those clearly.
- Who are your first line of responders?
- Who are your stakeholders?
- Do you have a cross section of skills?
- Where are the gaps?
- Define a team of operational champions and executive sponsors
- Build two teams – your CIRT (Cyber Incident Response Team) and your Senior Executive Management Team (SEMT).
- Assign roles and responsibilities
- Remember to include the roles of Legal, Finance, Procurement, Communications, Governance and Vendors too.
Know who says what, to whom and when
Communications are critical in minimising the impact of any cyber incident.
- Look at internal and external communications plans
- Who needs to know?
- Which channels will you use?
- What are your backup channels?
- Who are your spokespeople and are they media trained?
- How will your front of house team manage support? Have they been trained to deal with emergency response situations?
- Who are the key points of contact?
- Who is the contact for your insurer and who will communicate with them, how often?
When it comes to planning and crafting communications, make sure they include 1) what has been impacted 2) the action being taken 3) who the support teams are 4) the key points of contact 5) next steps and timeframes for resolution.
Create cohesive supporting assets
From Business Continuity Plans to Disaster Recovery and Incident Detection, Investigation and Analysis, make sure your policies and people are:
These aren’t to be forgotten assets, test them regularly, refine and adapt plans and people as threats and resources change and organisational structures and priorities evolve.
Understand your reporting obligations
Work with your compliance/legal team to ensure your Incident Response Plan meets all relevant legal/regulatory requirements. They will vary according to impact, state and territory.
Know your cyber insurance policy – every line and clause (yes, really).
If you’re already insured, read the policy today. Get the right team on board to ensure key stakeholders have a full understanding of the exact parameters and nuances of your policy, so everybody who needs to know, understands the detail before you face an issue. It’s a challenge to interpret the detail when you’re fighting the fire.
If you haven’t got insurance and you’re thinking about it, get help to find the right policy and coverage for your organisation. Engage support to help you create your Incident Response Plan so that you’re equipped and able to tackle any curly questions that might arise and impact your ability to secure the levels of coverage you need. There is truly nothing worse than being 12 weeks into a cyber event, only to realise your situation isn’t covered and you aren’t eligible for support.
Talk to us about helping you to create a tailored Incident Response Plan. We bring the experience, expertise and momentum you need to provide performance, productivity and protection for your organisation.