"Businesses need to face the inevitability of being hacked at some point. It's not a question of if, but when — and that's why being proactive to minimize the risk is essential." Robert Egan.
When a critical incident hits, what happens to an organization without an efficient incident management plan? Essentially, all stakeholders are left "fighting fires," trying to recover their systems, and get their business back up and running.
In most cases, these organizations end up facing losses due to the amount of time they spend acting haphazardly without a plan of action in place. Moreover, they often have to deal with public relations disasters due to botched communications. This "panic" mode doesn’t have to be the norm. With a solid incident response plan (IRP) in place, the worst effects of an attack can be minimized, and businesses can learn from the experience to improve their resilience.
How Organizations Handle Critical Incident Management
Surprisingly, many organizations still lack a proper resilience and incident response strategy. A study by IBM Security and the Ponemon Institute showed that 77 percent of organizations still lack an IRP that is applied consistently throughout the organization. Moreover, over 54% of those who do have a plan in place, do not test their plans regularly, rendering them ineffective.
As a result, critical incidents are often met with inefficient workflows that rarely include tabletop simulations; a tool that is very effective in pre-empting inefficiencies.
Best Practices for Handling Critical Incidents
As Becky Pinkard, CISO of Aldermore Bank puts it: "A 'headless chicken' approach is never desirable during the time of a crisis.” The approach that most organizations take simply doesn’t manage the incident response process effectively among multiple stakeholders against the backdrop of complex processes and siloed systems. Here are the six best practices to implement for an effective incident response management.
Best Practice #1: Manage an Incident Throughout the Entire Lifecycle
The cyber resilience lifecycle, based on the industry standard NIST framework, encompasses five key areas: identify, protect, detect, respond, and recover. An effective IRP must therefore orchestrate and automate recovery workflow of the incident from detection to communication and damage control throughout the entire lifecycle.
Best Practice #2: Enforce Standard Operating Procedures
An IRP helps your team act with a cool head when emotions run high. Orchestrating your human resources during a crisis ensures that you can effectively determine the scope of the threat, contain it, and initiate the recovery process.
A significant advantage of IRP is that you can avoid the "headless chicken" mode by making it clear to your employees who is responsible for what, and aligning and coordinating all resources in the most efficient way possible. Beyond the technical staff, your plan should include crisis management, as well as a clear procedure for corporate communications. It must be clear from the get-go who is authorized to speak on behalf of the organization, and what they will say. Procedures must also be put in place for notifying legal counsel, your insurance company, and any other relevant internal or external stakeholders.
Best Practice #3: Automate Communication and Escalation
When incidents occur, there is a danger of severe reputational impact. How you communicate in a crisis is critical. Anything you can use to make your life easier allows you to focus on the main task—resolution. Having a tool to automate communications ensures that you don't waste valuable time and can concentrate on responding and resolving high priority issues.
By automating communications, you can send a notification to all relevant parties any time there is a change in an escalated ticket.
Best Practice #4: Deliver Information to Stakeholders in Real-Time
Critical incidents encompass the entire organization. Multiple stakeholders should be informed: C-level executives, communications, customer services, employees, and, last but not least, your customers. Quick communications can make a massive difference in the public's perception of the incident. As a rule of thumb, in the age of social media, the longer it takes to communicate with your customers, the more significant impact the event will have on the company's brand.
For example, Uber infamously took over a year to inform their customers of a breach. On the other side of a spectrum is Norsk Hydro, who during the data breach in March, had a steady stream of communications on social media channels addressing the ongoing incident.
The ability to communicate with customers en masse in real time is essential, as well as coordination between technical and customer facing staff during an incident.
Best Practice #5: Integrate With Other Processes and Systems
An IRP cannot be isolated to one group or division of the company. A holistic incident requires a holistic approach. Only by integrating into all relevant business processes and systems, such as for example your Help Desk or internal ticketing system, can you design an Incident Response Strategy that reflects the complexity and demands of modern-day critical incidents.
Best Practice #6: Postmortem Documentation and Reporting of KPIs
Postmortem documentation is an essential piece of the puzzle for effective incident response management. It empowers employees to tackle future incidents head on, and turns an incident from a crisis into a learning experience for the whole organization. A routine postmortem analysis should cover, at a minimum:
- How many incidents were raised and closed each month
- Average resolution time
- Percentage of downtime
- Problems and changes linked to a specific incident
Turn Any Incident Into a Learning Opportunity For The Entire Organization
Cyber attacks, critical failures, and human errors are ever-present threats. An IRP is a blueprint for handling critical incidents that can make or break an organization. With a solid IRP, your employees can efficiently prepare for, cope with, and recover from cyber security incidents.
And that is where Exigence comes in. Exigence is a fully integrated platform that was designed to help organizations harden themselves against cyber incidents and strengthen their cyber resilience posture. The platform addresses every aspect of the incident, turning chaos into a standard operating procedure that is structured and easy to manage.
The platform coordinates all relevant stakeholders and systems in real time, orchestrating complex workflows from trigger to resolution, simplifying the postmortem, and empowering organizations to learn and optimize their processes.
