“By failing to prepare, you are preparing to fail. Preparation prior to a breach is critical to reducing recovery time and costs.” (RSAConference)
For 83% of companies, a cyber incident is just a matter of time (IBM). And when it does happen, it will cost the organization millions, coming in at a global average of $4.35 million per breach.
The damage isn’t only financial, nor solely related to customer loyalty and brand equity. There are also the regulators who will be fast to penalize, and cyber insurance rates that will likely rise.
So, it’s no surprise that companies invest millions every year in cyber protections such as intrusion detection and prevention, data loss prevention, endpoint protection, identity and access management, penetration testing, and more.
The must-have for your toolkit
However, even if you have a generous cyber budget, no prevention tool is 100% attack-proof. This is why it’s critical to be prepared so when that incident hits you will know exactly:
- What are everyone’s roles and responsibilities
- What are the right investigative procedures
- Which external stakeholders needs to be contacted, e.g., insurance carrier, breach attorney, regulatory authorities, law enforcement
- Which data needs to be collected
- Which reports need to be compiled and who needs to get them
- What are the legal protocols
- Who should communicate what to whom
- And more
There really is no other way to hit the ground running and be fast and accurate in understanding exactly what needs to be done to reduce downtime, costs, and the probability of material impact.
And this is what the incident response plan is all about.
It’s the must-have tool for your cybersecurity toolkit, whose importance cannot be understated. Consider these numbers:
| Without an IR plan | With an IR plan | |
| Days to find the breach & recover | 46 days | 37 days |
| Days to find an adversary & eradicate | 35 days | 27 days |
| Cost of breach | $3M | $2.4 |
The IR plan’s key elements
In developing a well-designed IR plan, with the policies, procedures, and guidelines for response, some of the key chapters that should be included are:
- Roles and responsibilities, e.g., IR commander, handling team, and all other relevant stakeholders
- The framework for identification and assessment
- Containment strategies and steps
- Eradication and recovery processes
- What is the data that should be collected for intelligence
- The post-mortem outline
- Notification requirements
- Guidelines for communicating with internal stakeholders, customers, law enforcement, the media, regulatory authorities, and the cyber insurance carrier
- The incident response checklist
Ensuring efficacy
Once you have a solid plan in place, you can go a long way towards amplifying its efficacy by:
Ensuring availability
When an incident occurs, the first step is to consult the incident response plan for which step each incident stakeholder should take. Accordingly, it is critical that the plan be available even if the relevant enterprise system that stores it is down.
Testing the plan
Don’t wait for a live incident to test your plan. Testing processes and guidelines in advance with tabletop exercises is vital to making sure that the plan is clear and effective, and that everyone knows what to do and that they do it right and well.
Towards this end, stakeholders should be encouraged to execute the response to a scenario as if it was actually happening.
Once completed, the outcomes of the exercise may be reviewed for understanding what works, what doesn’t, and how response can be optimized.
Standardizing
The incident response plan must have a consistent and standardized structure and format to ensure that all incidents, regardless of the severity or complexity, are always approached in full alignment with the organization’s policies, procedures, and best practices.
How Exigence can help
Exigence brings automation, clarity, and simplicity to incident response, planning, and tabletop testing.
The platform enables IR planning that is fully digitized and template driven. Its intuitive interface walks users through the different sections of the IR plan, helping them to fill out all the relevant sections quickly and accurately. And it enables teams to test preparedness with tabletop simulations.
Furthermore, in being multi-tenant, service providers, such as MSPs and MSSPs, can seamlessly create and provide incident response plans and tabletops to a great number of different customers.
Through this combination of capabilities, anyone can gain unprecedented efficiency, accuracy, and effectiveness with IR planning and plan testing.
In conclusion
The IR plan is every organization’s cybersecurity must-have for ensuring preparedness, accelerating response, and meeting regulatory and insurance demands.
When you have a robust plan in place, you improve your security posture and profoundly enhance the protection of your organization’s most strategic data assets.
To learn more about how Exigence can help we invite you to reach out to us at info@exigence.io.
