Learn how to get started on creating your own incident response plan.  

David Ellis
Director of Forensic Investigations
CISSP, PFI, QSA
What do you do if you get hacked? If you learn that you’ve been hacked via a third party, like your bank, the FBI, or the media, your organization could be in serious trouble. It’s not enough to just sit back and hope it doesn’t happen to you. With the rise of technology and networked devices, many businesses are preparing for when they get breached, not if.

Developing and implementing an incident response plan will help your business handle a data breach quickly, efficiently, and with minimal damage done.

SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe

So how do you get started?
Here are 6 steps to help you create an incident response plan.

1. Identify and prioritize assets

You need to make sure you know where your company keeps its crucial data assets. Ask this question: What would cause my business to go under or suffer heavy losses if it were stolen or damaged?

Once you identify your lists of critical assets, prioritize them according to importance and highest risk. Make sure to quantify your asset values. This will help justify your security budget and show executives what you’re trying to protect and why it’s essential to do so.

SEE ALSO: 6 Phases in the Incident Response Plan

2. Identify potential risks

Do research. Look at the greatest current threats against your business systems. Keep in mind that this will be different for every business.

For businesses that process a lot of data online, improper coding could be their biggest risk. For those in a brick-and-mortar environment that offer WiFi for their customers, it may be Internet access. Other businesses may place a higher focus on ensuring physical security.  And some businesses may focus on securing their remote access applications.

Here are examples of a few possible risks:
  • External or removable media
  • Attrition
  • Web
  • Email security
  • Social engineering
  • Loss or theft
SEE ALSO: What is a Risk Assessment, and Why Does Your Business Need One?

3. Establish procedures

You can’t just hope you’ll know what to do should you get breached. If you don’t have a set of practiced procedures to follow, a panicked employee could end up making crucial mistakes that could be costly to your organization. Your policies and procedures for handling a data breach should include:
  • identifying and containing a breach
  • recording information on the breach
  • notification and communications plan
  • Defense approach
  • Employee training
Obviously, you’ll need to tailor your policies to your business. Some businesses may require a heftier notification and communications plan, while others may need to get help from outside resources.  All businesses will need to focus heavily on employee training (safe handling of emails, defense against phishing and social engineering attacks, etc.).

4. Set up a response team

You’ll need to designate a team that helps coordinate the actions of your company after the discovery of a data breach. The goal for this team is to help coordinate resources during a security incident to minimize impact and restore operations as quickly as possible.

Some of the necessary team roles are:
  • Lead Investigator
  • IT Director
  • Communications Leader
  • Documentations and Timeline Leader
  • HR/Legal Representative
Make sure your team covers all aspects of your organization, and that they understand their particular roles in the plan.

SEE ALSO: 5 Things Your Incident Response Plan Needs

5. Sell the plan

Your incident response team won’t be very effective if you don’t have the proper backing and resources to execute the plan. This is true from enterprise organizations to smaller, one-off businesses. That’s why you need to make sure that those who control your company’s purse strings are aware of the need and benefits of having an incident response plan.

Enterprise organizations should make sure executive members are on board with the idea of an incident response team. Smaller organizations should make sure their higher ups are okay with some additional funding and resources dedicated to incident response.

Present your plan with the mindset of how this will benefit the company, both financially and with your brand (think of the damage to your company’s reputation in the event that you suffer a data breach and do a poor job of managing the incident). The better you present your goals to protect your business, the easier it will be for you to obtain any needed funding to create, practice, and execute the plan.

SEE ALSO: 10 Tips for Increasing IT Budget and Security Buy-In

6. Employee training

Just having an incident response plan won’t help you in a data breach. Your employees need to be aware of the plan and be properly trained on what they’re expected to do should you get breached.

Test the response plan through tabletop exercises. These exercises familiarize your employees with their particular roles in a data breach by testing your response plan through a potential hacking scenario. Through testing your plan, you can identify and address holes in the plan and help everyone involved see where they can improve, and do this when there is no actual risk to your business’s assets.

SEE ALSO: Employee Data Security Training: What You Should Do

Additional tips

Here are a few other things to think about when making your incident response plan:
  • Train employees on data security: Help you employees to see their role in maintaining company security through being able to better identify phishing emails, social engineering efforts, and the like. This will help prevent data breaches and keep your employee’s focused on security
  • Document everything: Documenting your plan is crucial to having set procedures, and it helps keep everyone on the same page
  • Test your employees: Hire ethical social engineers to test employees and their training. This helps employees to practice what they’ve learned and be ready for the real thing
Need help after a data breach? Our team of forensic investigators can help!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.