Practice Four: The Importance of Having an Incident Response Plan
Despite an organization’s best efforts, cybersecurity breaches will occur. When you are faced with a cyberattack, the first question that inevitably comes to mind is “What will we do?” Being prepared means asking that question before something happens.
Once the alarm sounds, how should an organization respond? One of the most important parts of an incident response plan (IRP) is ensuring that both electronic and physical copies of the plan exist and can be easily accessed at a moment’s notice, even if the organization’s computers are down. Why is this so important?
- A cyber incident isn’t just a computer problem. It’s an operational problem.
- An organization shouldn’t have to rely on its employees’ memories during a crisis.
- Incidents tend to happen at the worst possible time – such as when key players are on vacation or during peak sales periods.
The IRP does not have to be highly sophisticated, but it does have to be detailed enough to document who does what, how it is done and when it gets done. Documentation is especially important in case those responsible for executing an organization’s IRP are not available.
According to Tim Francis, Travelers’ Enterprise Cyber Lead, the goal of an IRP is to provide a clearly defined, focused and coordinated approach to responding to cyber incidents. This will enable the organization to limit the damage and expedite a return to normalcy. Having an IRP in place and testing it before you need it is one of the basic tenets of good cyber hygiene. Yet, according to the 2023 Travelers Cyber Risk Index, 50% of organizations fail to do so.
“Compared to all other business and societal concerns, cybersecurity remains one of the top concerns across the businesses we survey,” said Francis. Acknowledging a range of cybercrimes, like social engineering fraud and business email compromise, he stressed that “there’s a host of other things that an IRP can help you address.”
Francis offered six useful tips for crafting an IRP:
- Identify and prioritize your organization’s risks.
- Have a communication strategy that includes multiple means of contact.
- Determine how and who will be responsible for collecting evidence.
- Know who will get backups ready to bring your organization back online.
- Develop and document a practical plan that meets your organization’s specific needs – then practice and update it regularly.
- Have a paper copy of your plan at the ready.
Getting back to business with limited impact after an attack is only one benefit of having a plan. An IRP also demonstrates to an organization’s partners, suppliers and clients that it takes cybersecurity seriously.
According to Ken Morrison, Assistant Vice President of Cyber Risk Management for Travelers, an IRP is not merely a reactive measure; it’s a vital part of an organization’s overall cybersecurity strategy. It instills a proactive culture of preparedness and resilience, providing a road map for dealing with the unexpected, helping to protect and even enhance the organization’s overall well-being.
In Their Words
- Cyber: Prepare, Prevent, Mitigate, Restore: NYSE
- Cyber Risk Report: A View from the U.S. Government’s Lead Cyber Agency
- Hacked! What’s Your Plan?
- The Fight Against Cyber Crime – from Prevention to Prosecution
- What’s Required? Understanding the New Cybersecurity Laws Impacting U.S. Critical Infrastructure
This information is for general informational purposes only. None of it constitutes legal or professional advice, nor is it intended to create any attorney-client relationship between you and the author. You should not act or rely on this information without seeking the advice of your own attorney or other professional advisor. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists or guidelines will result in a particular outcome. In no event will Travelers or any of its subsidiaries or affiliates be liable in tort or in contract to anyone who has access to or uses this information. Travelers does not warrant that the information in this document constitutes a complete and finite list of each and every item or procedure related to the topics or issues referenced herein. Furthermore, federal, state or local laws, regulations, standards or codes may change from time to time and the reader should always refer to the most current requirements. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.
Cybersecurity threats affect businesses and organizations of all sizes. Our Cyber: Prepare, Prevent, Mitigate, Restore® initiative promotes dialogue and education to help leaders prepare for and respond to cyber incidents.LEARN MORE