How to design a cyber incident response plan for your business

Cybercrime is constantly in the news. And it’s not just giant corporations getting attacked — small businesses are vulnerable too. In fact, according to recent reports, more than 40% of small businesses experienced a cyberattack in 2023. 

That’s why it’s important to protect your business and know what to do if you experience a cyber incident.

This is where having a strong response plan comes into play. In this post, we’ll show you how to create a cyber incident response plan that will minimize damages and get your business back up and running faster. Let’s get straight to it.

What exactly is a cyber incident response plan?

A cyber incident response plan is a written set of guidelines that instructs teams on how to prepare for, identify, respond to, and recover from a cyberattack. A detailed response plan should include technology-related issues, but also address problems that can arise in other departments, including HR, legal and compliance, finance, customer service, or PR teams, among others. Essentially, your cyber response plan should map out your company-wide plan for responding to the attack.

In early 2024, Change Healthcare, a subsidiary of United Healthcare Group, was the victim of the largest-scale data breach of all time — more than 100 million people were affected. While the details of the breach are yet to be fully uncovered, and Change Healthcare has not received any fines or penalties, this massive breach could indicate some significant gaps in the company’s cyber response plan.

Why does your business need a cyberattack response plan?

According to a report by the Identity Theft Resource Center, data breaches were up 78% in 2023 compared to 2022, and there are few indicators that the rise in breaches will subside any time soon. This steady and constant increase in cyberattacks on businesses is obviously quite concerning, and it highlights the importance of preparedness for all companies, no matter how big or small.

Let’s take a look at some of the main reasons that businesses should have a cyber incident response plan.

Step-by-step guidance keeps you organized and effective

When cyberattacks occur, it is natural for employees to panic — especially if your company doesn’t have a proper response and recovery plan in place. A detailed incident response plan can help your team stay organized during a crisis and outlines specific steps and actions to follow, leaving nothing to the imagination. 

This response plan also establishes communication channels among team members and stakeholders, specifying how to share crucial information.

Swift and efficient response to cyber threats

Time is of the essence when it comes to minimizing the consequences of a cyber incident, and the longer your system is compromised, the more devastating the damage may be. Without a response plan, it can take much longer to handle an incident, leading to more downtime, loss of revenue, and extensive data loss.

Having a proper incident response plan in place helps companies make sure that their reaction to the attack is as swift and organized as possible.

Ensures compliance with regulatory requirements

There are countless regulatory bodies for various industries that enforce cybersecurity protocols. For example, The Gramm-Leach-Billey Act requires financial institutions to take specific measures to protect customer data. Having a strong cyberattack response plan can help safeguard your business in the case of regulatory lawsuits. These regulations can be extremely complex to navigate, especially if your company operates in multiple countries. For example, in 2022, Meta was fined €266 million by the Irish Data Protection Commission for a breach that affected more than half a billion people.

With a response plan, you can prove that your company has the necessary precautions to minimize data breaches.

Helps contain the spread and minimize damage

Your ultimate goal with a cyber incident response plan is to minimize and contain the damage caused by an attack. By having a well-structured plan in place, you can effectively identify the affected data and systems, and assess the impact quickly, allowing your team to implement containment strategies without delay. Isolating these affected systems is a crucial step, as it can prevent the breach from spreading to other parts of your business’s network. How soon your team is able to contain the spread of the attack can be the difference between a major, devastating attack and a smaller, more manageable one.

Prepares your company for all types of cyber threats

Given that there are quite a few ways hackers can endanger your business, it’s crucial for your business to have a variety of incident response scenarios mapped out that cover the myriad types of cyberattacks that can occur.

Your response plan should indicate what steps to take in case of a data breach, an insider threat, a social engineering attack, or a ransomware attack, for example, since the source of the breach and the outcome are often completely different based on the type of attack.

Be sure to identify your main cybersecurity risks and include them in your response plan to put your team in a better position to respond properly to any and all potential incidents and mitigate the risk of further damage.

How to create a cyber incident response plan

So, what exactly does a cyberattack response plan look like? What steps should the plan take to resolve the incident? And which team members and stakeholders should be involved in the process?

According to the 6-step framework that the SANS Institute published a few years back — still the go-to model for an incident response plan — the main phases of a cyberattack response plan are:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Let’s take a closer look at how these phases fit into the process.

Preparation: Make sure you are ready and equipped

Simply having a response plan is not enough; you’ll also need to ensure that your team is fully aware of the plan and trained on how to implement it effectively in the case of an attack. This step involves assembling a team dedicated to addressing an incident and taking preventative measures to fend off attacks.

Assemble your team

As mentioned earlier, a cybersecurity incident doesn’t just affect your computers and IT infrastructure; it affects the entire company. That’s why it’s necessary to include at least one dedicated person from each department you identify as crucial when dealing with the attack’s aftermath. You want to clearly define roles within your cyber incident response team so that each team member understands their job in minimizing the aftermath.

Start with your IT security department and assign people responsible for discovering the source of the attack and containing it, as well as instructing other employees about what actions need to be taken. If you don’t have an internal cybersecurity team, identify the person in charge of contacting your outsourced security agency.

Cyberattacks can cause a lot of distress among your employees, especially if their own data or their clients’ data has been stolen. A designated HR professional should be able to handle most of the internal communications and employee concerns. Of course, people from your customer service team should deal with notifying and assisting your clients. Make sure that everyone in your company and beyond knows what they are responsible for and exactly what they need to do when such an event occurs.

Considering that these types of incidents often get public attention, you should also have legal and PR professionals in the wings, ready to handle all external communications and related processes.

Create a communication strategy

Communication is crucial during and following a cyberattack. You’ll need to not only prepare an internal communication system but also design processes for communicating with the press or affected clients about the incident. 

When you design your crisis communication strategy, there are a few things you need to consider:

• Who do you need to notify?
• What public or government institutions do you need to contact?
• What is your deadline to report the incident?

Carefully review federal and state data breach laws to ensure you don’t miss any important steps when reporting the incident.

You also need to carefully plan when you should notify your clients, partners, vendors, and anyone else affected by the cyberattack.

If the cyberattack is severe and many different sources (such as the news) have become aware of it, it is essential to make a public statement. You must approach these incidents with care, as they are very sensitive and can lead to a tremendous amount of reputational fallout when not handled properly.

The best course of action might be to hire an outside agency with experience dealing with these types of issues instead of trying to handle all of the PR efforts on your own.

Prevent an attack

In the preparation phase, you won’t be simply sitting back and waiting for an attack to occur. This part of the response plan is all about prevention. After all, the best way to minimize the damage of cyber incidents is to avoid them altogether. This involves strengthening your cybersecurity system, training employees on cyber hygiene and best practices, backing up data, keeping your software updated, and auditing your security systems. With the rise in sophisticated and AI-driven cyberattacks, there is no way to avoid an incident fully, but you can substantially cut down your risk with preparation and prevention.

Identification: Identify the breach

After a breach occurs, your first step should be to identify the affected areas and assess the scale of the damage. No matter how good your protective cybersecurity measures are, you need to assume that some vulnerabilities could potentially allow cybercriminals to infiltrate your network. During this phase, your incident response team will look at any error messages, suspicious activity, or log files to determine if an attack has occurred and what the next steps should be.

While your security staff are the main team members responsible for detecting a cyber incident, you should train all employees to identify and report suspicious activity.

Make sure all employees understand the common signs of cyber threats, such as social engineering attacks, and create clear guidelines for reporting threats. This way, you can quickly address any incidents that occur.

Here are some tell-tale signs of a cyberattack or suspicious activity:

• High number of failed log-in attempts
• Unexpected changes to files, configurations, or user permissions
• Pop-ups or strange messages on screens requesting sensitive information
• New or unrecognized applications installed on devices
• Unauthorized transactions or data changes
• Slow or unresponsive system performance

If you have a cyber liability policy in place, contact your insurer to assist with the consequences of the attack. A comprehensive, first-party cyber liability policy covers your costs related to the incident, whereas a third-party policy covers the damages suffered by other affected parties. If you don’t have cyber insurance coverage or think you might be underinsured, now may be the right time to change that.

You should also seek advice from your legal team on complying with the laws and regulations related to a cybersecurity attack and how to report the breach. Talk to them about any legal implications that may arise from the incident.

Notify all affected parties

Once you have identified any third parties whose data might have been compromised, make sure to notify them right away. If you are not sure who was affected, it makes sense to notify everyone who could potentially suffer any consequences from the attack.

Issue a public statement and control potential PR fallout

If the extent of the attack was significant and it affected other stakeholders in your company, the public is bound to find out about it. Make sure that you issue a timely statement to the public so that you can get ahead of and control the situation that follows.

Identify the scale of the damage

Beyond simply discovering the attack, during the identification phase, your team will also determine the scale of the damage. This involves assessing which systems, data, and networks have been affected, as well as evaluating the potential impact on your standard business operations. Your response team will analyze how far the attack has spread and pinpoint the affected areas. This allows them to prioritize the systems that need immediate attention. After identifying the scale of the damage, your response team will also be able to provide you with a recovery timeframe.

Trigger the right response

After identifying that an attack has occurred and assessing the damage, you’ll need to make sure you trigger the right response. As mentioned, a cyber response plan is not a one-size-fits-all system; you should have various response plans prepared for different types of cyberattacks. This will help you contain the attack and minimize the damage it causes to your critical systems and data. For example, your response to a ransomware attack would be very different from one following a phishing attempt. 

Containment: Contain the affected systems and isolate the threat

This is a crucial step in the incident response plan. During the identification phase, your response team locates the affected areas, and during the containment phase, you will prevent the threat from spreading and wreaking havoc further on your organization. Your containment approach will vary significantly depending on the scale of the breach. Containing a smaller attack may have little impact on your day-to-day operations, while large-scale incidents can have major disruptions.

When it comes to containing a cyber threat, your response plan can be separated into short-term and long-term solutions.

Short-term containment

Not meant to be permanent solutions, short-term containment is all about minimizing damage as soon as possible. You can think of these solutions as a tourniquet that stops the bleeding (or damage from the cyberattack) while you wait for a more permanent fix.

• Disconnect compromised systems from the network to prevent the attack from spreading to other areas.
• Block any IP addresses, user accounts, or devices suspected to be involved in the attack.
• Restrict remote access to critical systems temporarily to prevent attackers from re-entering the network.
• Set up temporary firewalls or strengthen current settings to block unauthorized access.
• Address any vulnerabilities or software weaknesses (if known).

Long-term containment

Once you’ve stopped the “bleeding” with your short-term solutions, your cyber incident response plan should indicate some more long-term containment strategies. Think of long-term containment like a follow-up surgery after an injury. It’s not just about stopping immediate damage; it’s about repairing all underlying issues.

• Conduct a full security assessment to identify all points of entry and ensure all vulnerabilities are addressed.
• Use continuous monitoring tools to detect any residual threats or unusual activity in the network.
• Ensure that backup and data recovery systems are reliable and regularly tested for future incidents.
• Depending on the nature of the attack, consider adopting advanced threat detection or endpoint protection tools for improved long-term security.
• Install permanent security patches to ensure your business system is functional and protected.

Eradication: Remove all threats from your devices and network

The eradication phase is not necessarily a separate step but something that your response team will do at the same time as the identification and containment phases. This is because as your team identifies and contains the threat, they will also disconnect infected systems, patch software, and essentially get rid of the threat.

This phase essentially ensures that your organization is fully sanitized of the cyber threat. This way, you can move on to the recovery step and get all of your systems and software up and running again.

Here are some important steps to follow during the eradication phase of the cyber incident response plan:

• Patch any software vulnerabilities that may have been exploited during the attack to ensure similar threats can’t reoccur.
• Reset passwords and security tokens for any accounts that may have been compromised during the incident.
• Investigate and understand the origin of the attack to address underlying issues that may not have been detected initially.
• Perform thorough scans of systems and networks to confirm that all traces of the threat have been removed.

Recovery: Restore your system and network to their pre-incident state

In the aftermath of a cyberattack, your main focus will be to recover lost data and restore your systems so that your company can be fully operational. Your disaster recovery plan is essentially a subset of your incident response plan that focuses specifically on recovering systems after a cyberattack. Once the threat has been fully removed, your team can focus on securely backing up data and attempting to recover any lost or damaged files. Additionally, the recovery phase focuses on strengthening your security system and making changes to the cyber incident response plan to ensure you are better protected against future attacks or breaches.

The recovery phase can take weeks or even months to complete, especially if your company has faced a major data breach. 

Lessons learned: Understand what errors were made and what steps need to be taken to curtail future attacks

In the final step of the cyber incident response plan, you’ll analyze the causes of the attack and come up with a plan to prevent another from occurring. According to the Harvard Business Review, human error is behind more than 80% of all cyberattacks. This goes to show that proper employee training, preparation, and improved security systems can significantly reduce the likelihood of your business experiencing an attack.

By this time, you should already have a lot of information about what security areas you need to improve. Use the knowledge you gained during the recovery period to strengthen your policies and further educate your staff. It would also be a good idea to update your response plan accordingly and share your insights with your business network so that your partners can be prepared should they face a similar situation and need to get you involved.

Test and regularly update your response plan

While it’s true that you can’t properly test your incident response plan when there’s no incident, you can create a test environment and try to execute your plan. This will allow you to notice any discrepancies or shortcomings and fix and rewrite your document accordingly and on time. You can test your cybersecurity systems with a penetration test, in which an “ethical” hacker will attempt to break into your systems and then provide you with a comprehensive report of any vulnerabilities. 

You can also test your cyber incident response plan by gathering your response team and organizing a simulation of a cyberattack. This allows you to work out any kinks in the process and ensure your response team is adequately prepared for any situation.

Depending on the frequency of regulatory changes or major changes inside your company, we recommend revisiting the plan once or twice a year. This ensures that your response plan is always up to date and ready to be implemented when necessary. You should also regularly update your security measures and keep up with the latest security technology and cyber best practices.

Naturally, if a cyberattack occurs, make sure to perform a detailed report to understand what went wrong and what changes you need to make to your plan to protect your company better from future attacks.

Effectively respond to cyberattacks

Your incident response plan should be a living document that you can and should edit and refine regularly. It should also be customized to your type of business. For example, law firms should have a custom incident response plan that is different from that of a tech startup.

Having a proper incident response plan is a necessity in today’s world, as the chances of your company never experiencing a cyberattack are practically slim to none. A cyber response plan and a comprehensive cyber liability insurance policy are your best defense against harmful cyberattacks.