How to Build an Incident Response Plan for Your SMB

Does your business have a cybersecurity incident response plan? If not, you're not alone. IT teams may be stretched thin, especially at SMBs with more limited internal resources and budgets. But regardless of company size, the risk of a data breach is real. A data breach can devastate a company's daily operations and bottom line. Prioritizing the creation of an incident response plan could prevent your company from making costly mistakes. A documented step-by-step incident response plan will help your company better navigate the stresses and challenges of reacting to and recovering from a cybersecurity incident. Here's how to start building one so your company is better prepared for the worst.

What is an incident response plan?

An incident response plan (IRP) helps your company react to a cybersecurity event. According to NIST, an IRP is "the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious cyber attacks against an organization's information system(s)." In other words, it lets you know what to do, who to involve, how to communicate, and what to expect in various cybersecurity scenarios.  NIST outlines four key phases for incident response:

• Preparation
• Detection & Analysis
• Containment, Eradication & Recovery
• Post-Incident Activity

Although you will tailor your incident response plan to your company's unique environment, every incident response plan should detail how a company will navigate these four phases.

Preparation

This phase is all about gathering data and making a plan. Key questions to ask and document in an incident response plan include:

• A designated "incident response team"
• Names, contact information, and duties of the response team members
• List of other stakeholders to be alerted about cybersecurity incidents based on severity and urgency (such as C-level executives or department leaders for legal, PR, customer service, etc).
• Inventory of all hardware, software, third-party vendors, databases, networks, IT accounts, etc. 
• Deploy monitoring tools that establish a baseline for "normal" activity and can identify anomalies in real-time
• Process for employees to report cybersecurity incidents

When building an incident response plan, you must explore the cyber incidents your company may face. Common cyber threats to businesses include:

• Data breach
• Ransomware
• Malware or virus
• Firewall breach
• Denial of service or distributed denial of service (DDOS) attack
• Vulnerabilities in third-party software
• Device theft or tampering
• Insider threats
• Social engineering
• Phishing

Some cyber incidents are all-hands-on-deck situations that affect the entire company. Others are isolated incidents, and their impact is minimal. However, to be prepared, your IT point-person needs to:

• Be familiar with a variety of cyber threats
• Know how to identify and contain these incidents or have access to qualified third-party vendors for remediation
• Educate employees on spotting suspicious activity and create a company-wide culture of awareness
• Deploy reasonable cyber security measures to reduce the likelihood of successful cyber attacks, like strong password requirements and multi-factor authentication
• Perform drills and mock data breaches to assess the incident response plan

Your company also needs to be aware of any laws and regulations that require disclosure of cyber security incidents. Know which law enforcement officials need to be contacted and when. Also, know what circumstances your company needs to notify impacted customers and what information your company must share. You may also want to include a business continuity plan, such as who takes over if various executives are unavailable or incapacitated or if critical systems go down. For example, is there a way to recover passwords to essential accounts and systems if key IT personnel aren't available?

Detection and Analysis

This phase is about identifying suspicious activity and investigating it. Detection may come from an employee who spots suspicious activity or a network tool that detects unusual behaviors.  No matter how IT is alerted, the important thing is that they are made aware of what is going on as quickly as possible and start investigating immediately. During analysis, the team will verify if a cyber attack is in progress or has occurred. They will also categorize the cyber attack and alert the incident response team members based on severity and scope. When preparing for this phase in your incident response plan, you'll want to account for key questions such as:

• How are we collecting and analyzing data to spot suspicious activity? Who is analyzing that data?
• Do employees know how to report suspicious activity and how are reports handled for urgency?
• What are the categories for different cyber security threats, and how will the team respond to each threat level?
• How will you evaluate the scope of a cyber incident?
• How will you document the cyber incident as it is happening and preserve evidence for further investigation?

Analysis may also require pulling in qualified third-party professionals. Your company should strive to have these resources in place before a cyber incident; the longer you take to respond to an incident, the more significant the damage it may cause. If you use an outside vendor for incident analysis, document their contact information and order of operations in the incident response plan.

Containment, Eradication, and Recovery

This phase is where team members are especially prone to anxiety and panic. Remember to never underestimate the psychological impact of a data breach, especially for a team that hasn't navigated one before. However, with an incident response plan in place, you'll be able to more confidently and quickly address the situation. During containment, you need to move into stopping the attack and mitigating the effects quickly. For example, do you need to pull a specific device offline? Reset a password or block an IP address? Deploy an update or remove malicious files? You'll also need to evaluate how responding to the event will impact the business. For example, will critical systems be offline? For how long? How will the situation impact employees or customers? Eradication and recovery require removing the threat from the company's environment and returning operations to normal. For example, you may need to restore from backups, deploy patches or updates, and bring systems back online after confirming that you've eliminated the threat. In addition, the IT team may need to monitor activity more closely to ensure the threat doesn't return.

Post-incident activity

The crisis is over, and the team has recovered. Now, it's time to look back over the entire incident, from detection to recovery. Document everything that happened. Gather all incidence response team members and other stakeholders to talk through what you learned, including:

• What went well in the IRP?
• What needs improvement?
• How well did the incident response team perform?
• How can company systems be hardened against similar future attacks?
• How did the event impact the company? And how can you better prepare for that impact in the future?

Reflecting on lessons learned while being open and honest will help your company better navigate future attacks.

Start creating your incident response plan

When you're just getting started, focus on the basics outlined above. Your incident response plan will evolve as your company stress tests it. If decision-makers question why you need an incident response plan, stress the importance of responding quickly and effectively when a security breach occurs. An IRP helps create a feedback loop in which the team can continue to improve its cybersecurity strategy and deal with the legal and commercial effects of a data breach. When faced with the urgency of day-to-day tasks, it's challenging to prioritize creating an incident response plan. But now that you know what to expect in crafting an IRP, it's time to get to work. Crafting an incident response plan and deploying critical cybersecurity tools will boost your company's confidence in handling cybersecurity events.  Contact our team today to learn how a business password manager like LastPass can help you strengthen your incident response plan.