Practice Four: The Importance of Having an Incident Response Plan

Incident Response

Despite an organization’s best efforts, cybersecurity breaches will occur. When you are faced with a cyberattack, the first question that inevitably comes to mind is “What will we do?” Being prepared means asking that question before something happens.

Once the alarm sounds, how should an organization respond? One of the most important parts of an incident response plan (IRP) is ensuring that both electronic and physical copies of the plan exist and can be easily accessed at a moment’s notice, even if the organization’s computers are down. Why is this so important?

• A cyber incident isn’t just a computer problem. It’s an operational problem.
• An organization shouldn’t have to rely on its employees’ memories during a crisis.
• Incidents tend to happen at the worst possible time – such as when key players are on vacation or during peak sales periods.

The IRP does not have to be highly sophisticated, but it does have to be detailed enough to document who does what, how it is done and when it gets done. Documentation is especially important in case those responsible for executing an organization’s IRP are not available.

According to Tim Francis, Travelers’ Enterprise Cyber Lead, the goal of an IRP is to provide a clearly defined, focused and coordinated approach to responding to cyber incidents. This will enable the organization to limit the damage and expedite a return to normalcy. Having an IRP in place and testing it before you need it is one of the basic tenets of good cyber hygiene. Yet, according to the 2024 Travelers Cyber Risk Index, 47% of organizations fail to do so.

“Compared to all other business and societal concerns, cybersecurity remains one of the top concerns across the businesses we survey,” said Francis. Acknowledging a range of cybercrimes, like social engineering fraud and business email compromise, he stressed that “there’s a host of other things that an IRP can help you address.”

Francis offered six useful tips for crafting an IRP: 

1. Identify and prioritize your organization’s risks. 
2. Have a communication strategy that includes multiple means of contact. 
3. Determine how and who will be responsible for collecting evidence. 
4. Know who will get backups ready to bring your organization back online. 
5. Develop and document a practical plan that meets your organization’s specific needs – then practice and update it regularly.
6. Have a paper copy of your plan at the ready. 

Getting back to business with limited impact after an attack is only one benefit of having a plan. An IRP also demonstrates to an organization’s partners, suppliers and clients that it takes cybersecurity seriously.

According to Ken Morrison, Assistant Vice President of Cyber Risk Management for Travelers, an IRP is not merely a reactive measure; it’s a vital part of an organization’s overall cybersecurity strategy. It instills a proactive culture of preparedness and resilience, providing a road map for dealing with the unexpected, helping to protect and even enhance the organization’s overall well-being.