Many organizations have taken a more proactive approach to IT security rather than waiting for something bad to happen. Recognizing the immense cost of a data breach (an average of $3.86 million) and the time it takes to contain a breach (an average of 69 days) these organizations follow best practices and deploy security tools that reduce risk related to malware, zero-day exploits and other threats.
But that’s not enough.
Security investments are critical, but you still need to operate under the assumption that a data breach will happen. When it does, preparation and communications are just as important as any tools you may have for maintaining business continuity and restoring critical data, applications and systems.
This is why every organization, regardless of how sophisticated their IT security tools may be, needs an incident response plan. Incident response refers to the steps taken after a data breach to minimize damage and resume normal business operations as quickly as possible. No longer simply an IT security discipline, incident response has become a strategic business discipline.
There are six general steps to creating an incident response plan.
- Assign roles and responsibilities. Someone needs to own the process of creating a plan, communicating with all involved and delegating responsibilities. This is not just an IT function. An incident response plan typically requires input from senior executives, legal, human resources, compliance, IT consultants and public relations.
- Prioritize business functions and define acceptable risk. Incidents involving high-value business functions that are critical to operations should be the top priority when responding to an incident. What capabilities can you afford to be without, and for how long? If multiple systems are down, in what order should they be restored?
- Classify incidents. Incident classification is typically based on urgency and the level of risk – high, medium and low. For example, a low-risk incident could mean someone clicked on a potentially malicious link in an email. However, if this incident isn’t thoroughly investigated and documented, it could lead to a medium- or high-risk incident.
- Establish detailed response procedures. Once roles have been assigned, business functions have been prioritized, and incidents have been classified, you can lay out steps that need to be taken and by whom. What is the reporting protocol? Who investigates and analyzes each type of incident? What actions are taken based on the seriousness of the incident? What is the incident response timeline? How are activities recorded for future review? More detailed procedures translate to less confusion and better decision-making.
- Create a process for restoring systems and removing threats. High-priority systems should be backed up, but your staff needs to understand how to access those backups. Meanwhile, threats need to be quickly isolated to enable remediation before they spread. This will allow you to return to normal business operations.
- Create an assessment process. One of the most important parts of an incident response plan is understanding what happened and taking steps to prevent a repeat incident. What caused the incident? Has that issue been addressed? Has the fix been tested? Was the incident response plan effective in terms of both technology and communication? Every security incident is a learning experience – a potentially painful one, but a learning experience nonetheless.
In the next post, we’ll discuss the consequences of an ineffective incident response plan and how Windows Defender Advanced Threat Protection supports incident response.
Written and composed by Principal, Steve Soper