Many of us can relate to the rush of adrenalin and quickening pulse rate we get when we hear a particular notification ping or text message tone. It's the one that signals a production or cyber security problem, and it demands our immediate attention.
While it might not entirely take away the physical reaction, knowing you have an incident response framework in place can be a huge help in minimising those notification jitters.
Preparing for the unexpected
A cyber security incident could mean an interruption to, or a reduction in, the quality of a service provided. It usually indicates that something has gone wrong or a security safeguard may have failed.
It's impossible to predict when these incidents will happen, but we can plan how we'll respond to them.
Taking an organised approach to establish and document the steps that would allow your team to address and manage the consequences of a security breach or cyber attack takes a lot of stress and unknowns out of an incident situation.
Incident response planning is pretty much like an organisation's version of natural hazard preparedness planning. In the same way we're encouraged to have a plan to help us deal with fires or other types of emergencies, we should have an incident response plan for handling unexpected cyber security and other incidents at work.
We chatted to a few friends about their previous experiences of being involved in a security incident at work. In some instances, people were able to look back on these incidents with humour, and maybe just a few swear words, whilst others had recollections about feeling unsupported and alone during a stressful time
No matter what type of organisation a person was working at, or their job function and role in the scenario, there were a few common threads we noticed about incident response planning.
- No one likes being put on the spot to deal with unfamiliar incidents under pressure.
- No matter how prepared you are, there’s no guarantee you’ll never experience an incident.
- It's far better to have at least considered what you’ll do in the case of an incident before it happens than it is to end up scrambling and figuring things out on the fly.
Comparing notes: prepared vs. unprepared
Contrasting the experiences of the people working in organisations with an established incident response plan with those working in organisations with no plan was eye-opening.
Sometimes (but not always), having an incident response plan aligns with an organisation or team's experience and maturity level. Newer teams or organisations just starting out might be less likely to have incident response plans in place.
It's easy to see how this happens. There are so many things happening simultaneously at the start of a new project. We get distracted by a million side missions, and before we know it, we're hurtling along at the speed of light with nothing even resembling an incident response plan in place.
Until whack! Like a bug on a windshield, we run smack bang into the cold, hard reality of an incident.
In these situations, the brutal realisation that a serious incident is happening is often swiftly followed by another, even more unpleasant one: the incident response plan is one sentence long, and that sentence is "Call Robin in IT."
Panic stations and calls for all hands on deck to help fix the situation usually come next. The team has to frantically figure out the best way to restore the affected system or network. Being unfamiliar with accessing backups and getting things back up and running can make this process slow, complicated, and frustrating. And that's assuming backups exist in the first place.
Being faced with this type of situation is stressful for everyone involved.
Organisations that have been around longer may have already faced a few incidents and used them as motivation to put more planning in place. The incident response experience for organisations like this is entirely different from what less established ones typically go through. Some friends noted that their teams did incident response drills once or twice a year, which helped build everyone's comfort and confidence in knowing what to do.
When an incident does crop up, the well-prepared team is ready for it. Each person knows what their role is and can follow the planned steps. Everyone can be flexible where appropriate and work together to mitigate the problem and find a solution.
Pulling it all together
How you initially respond to an incident can minimise or magnify the impact it has on your organisation. Handle it well, and it can fade into a blip in the rearview mirror. Handle it less smoothly, and pretty soon, it can turn into a pit of downtime, lost productivity, and reputational damage. Probably with a side of despair.
Hearing about the different incident response experiences from several teams highlights how important it is to plan how you're going to deal with incidents — well before they happen.
Of course, our first goal is to avoid incidents, but we can't predict the future, and it's impossible to make our lives completely risk-free.
When we do our best to remove opportunities for things to go wrong and put safeguards in place to help stop people from making cyber security errors, we're on the right track to making our organisations safer.
What an incident response plan looks like
If you think incident response plans need to be hundreds of pages long, you can chuck that idea out the window. Go on, you know you want to.
The best incident response plans are clear and easy to follow. They set out the steps a team can follow to handle a cyber security incident while limiting damage and reducing the time and cost to return to normal operations.
Having monitoring in place for our systems is critical — that way, we can be sure we'll be alerted at the first sign of possible trouble.
It's also wise to draw up a matrix that categorises different types of incidents. Incidents can range from those that are small and quickly dealt with to those of epic proportions that require more complex wrangling. It's helpful to identify in advance which is which.
A good incident response plan sets out:
- Guidance on how to determine and declare an incident
- People's roles and responsibilities during the response
- Clear objectives during the incident handling process
- Categories of different types of incidents and how severe they are
- Steps for managing the response from the time an incident is declared to recovery and return to normal
- Measures for maintaining business-as-usual whilst you're addressing an incident
- Internal and external communication plans.
Plan, adapt, and learn
Looking back at incidents to understand why they happened and how they were handled can provide valuable lessons for improving and growing. Using what we learn from incidents to modify and enhance our environments and plans means we can move forward with more peace of mind.
Our best advice is to start small and start today. Jot down a framework and start developing your incident response plan. Just by doing that, you'll already be in a better position to handle the next curveball that comes your way.
And that's where SafeStack Academy's Security Awareness training can help.
Responding to and managing cyber security incidents well is vital, and every person in every team has a part to play.
We explain the benefits of incident response planning and how following a plan will help your team work together to resolve incidents as soon as possible.
Plan, adapt, learn
The next course in our Security Awareness programme is all about incident response for teams. You get to work through an incident scenario and choose the most fitting actions for resolving it.
We'll go through the cyber security learning actions that can help, including:
- Knowing which systems are business-critical
- Writing and storing your plan
- Reporting unusual or suspicious activity, and
- Reviewing incidents after they've happened.
Try it yourself
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us! Drop us a line at firstname.lastname@example.org and let us know what you think.