How to Keep Incident Response Plans Current

Review and update plans to minimize recovery time. Practice and a well-thumbed playbook that considers different scenarios will ensure faster recovery of critical data.

Grayson Milbourne, Security Intelligence Director, OpenText Cybersecurity

March 22, 2023

4 Min Read
Source: Anna Berkut via Alamy Stock Photo

The threat landscape is complex, and the tactics used by threat actors are constantly evolving. In this never-ending game of cat and mouse, it seems no matter what cybersecurity advancements the good guys make, it's a perpetual state of catch-up. As tactics evolve, so should readiness plans.

All businesses, regardless of size, should have a set of incident response plans that take into consideration a variety of situations. For example, the action you take for a ransomware attack versus discovering an employee doing something nefarious are greatly different. Having a playbook that considers many scenarios ensures nothing is missed. After all, the last thing any business wants to do during a crisis is ad hoc incident response.

Key Points to Cover

Incident response requires meticulous planning; this is something smaller businesses often struggle with. While not all organizations have the resources to plan for every potential scenario, the goal is to get to a place of satisfaction.

The following considerations will make the process less daunting.

Know your assets. Identify critical assets and put steps in place to revive them in the event of a failure. For example, create a list of internal systems that are core to the function of day-to-day business. It doesn't have to be a cyberattack that could take these offline. Hardware failures, natural disasters, and faulty updates can cause disruptions. Regardless of the cause, having a plan in place speeds the rebound process.

Since even carefully built backup-and-recovery plans can be compromised in an attack, additional safeguards are important for cyber resilience. For example, in anticipation of a ransom attack, keep multiple copies of backups in different domains (e.g., local and cloud). Likewise, consider backup solutions that do not allow an attacker to rewrite, encrypt, or modify previous backups. Equally important, maintain a history of restored points and backups that cannot be compromised; this will allow one to restore from a good copy of an earlier snapshot. While not all malware attacks are ransomware, the ability to quickly recover data following an incident is essential to minimize downtime and resume normal business operations.

Take the time to learn. Cybersecurity is challenging because even with the rights steps taken and all the right boxes checked, a business can still fall victim to an attack. However, each encounter with a security incident is also an opportunity to learn.

For those that dig deeper, valuable insight can be gained as to how a user initially encountered a threat. There may be something upstream of their actions that could be improved upon. Maybe they clicked on an email that got through the spam filter. Additional opportunities exist when users report a suspicious email; take the opportunity to learn how it got into their inbox. This is where an IT or security operations center (SOC) team can really help; this is also where experience can make a big difference.

Plan and practice. There's no one-size-fits-all incident response plan. Have plans for a variety of security incidents that you can anticipate. An employee doing something nefarious that requires them to be fired on the spot requires a different course of action than the discovery of a third-party breach. For each scenario, create a playbook to ensure nothing is missed.

Don't wait for an incident to test the effectiveness of plans. To identify gaps and achieve a desired level of confidence, it's important to run an occasional fire drill. Reflect on how things went and look for areas of improvement.

Set up a rapid response alias via e-mail to ensure all stakeholders are included; this allows for quick alert in the event of an incident, so less time is spent delegating and more time is spent recovering. Involve this team early on, during the build out of response plans and assignment of responsibilities in the event an attack does take place. A fire drill will expose what (or who) is missed and what could be done better.

Practice, Then Review Plans Annually

Once a level of comfort is achieved, this doesn't mean you never practice again. Confidence simply lowers the cadence for reviewing plans. As tactics shift, your response plans should, too. A good rule of thumb is, once you have confidence in your plans, review them on an annual basis.

Incident response plans are a must for businesses of every size. Because it's not if an organization will experience an incident but when, having a documented plan to detect, contain, and respond is critical. Planning and practice can greatly minimize the time required for recovery of critical data so businesses can minimize downtime and even maintain operations during an incident.

About the Author

Grayson Milbourne

Security Intelligence Director, OpenText Cybersecurity

Grayson Milbourne is the Security Intelligence Director at OpenText Cybersecurity, a division of OpenText. Grayson’s nearly two decades of security intelligence expertise include malware analysis, data science, and security education. In his current role, Grayson is focused on efficacy development to ensure the company’s security management products (which include the Webroot portfolio) are able to defend against the most cutting-edge threats.

Grayson is a longtime advocate for better third-party testing of security products and represents OpenText Security Solutions at the Anti-Malware Testing and Standards Organization (AMTSO). Through his efforts, AMTSO released testing standards that greatly improved testing quality when followed. Grayson is an avid participant in the security community and drives awareness of current threats by speaking at major events such as RSA and Virus Bulletin. He is a frequent guest on local NBC affiliates and several cybersecurity podcasts.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights