The importance of incident response plans in protection of data, finances, and reputations

In building a strong cybersecurity program, it’s not enough to just implement preventive measures against attacks. Organizations of all kinds must also have incident response (IR) plans in place for how to detect incidents and how to respond when they occur, from minimizing financial, reputational, and regulatory consequences to notifying all appropriate affected parties. Recent cases have illustrated the potential risks to reputations, finances, and more when an incident is not promptly detected and disclosed, and that you need a plan even when the incident may not directly impact your infrastructure.

Blackbaud, a cloud software provider, discovered in May a ransomware attack that began in early February and exfiltrated financially sensitive data and credentials of individuals who use the software, but didn’t announce the breach until July 16. Customers aren’t happy about the breach and the delays in detection and notification: At least 10 class-action lawsuits have been filed against the company. That’s bad press for not only Blackbaud, but also its customer base which includes educational, charitable, and healthcare organizations who will have to explain the incident to their own students, donors, and other stakeholders.

The COVID-19 crisis is making it more important than ever to assess IR plans and keep them up to date. Employees working remotely may be using their own equipment and wireless access, without the protection of their enterprise firewall or malware controls, and may be unfamiliar with new technologies and processes being used for remote work. (Not to mention that those remote-work platforms face and carry risks of their own; Zoom, for example, has experienced security concerns such as “zoom bombing” and the sale of user account information reportedly obtained through “credential stuffing.”) All of this puts employees (and their organizations) at risk for cyberattacks.

There’s a lot to consider while putting together an IR plan. Fortunately, the National Institute of Standards and Technology (NIST) has developed comprehensive guidance for each step of the “Incident response life cycle,” below. Read on for an overview of key steps and considerations, based on their guidance and our own insights and observations.

PREPARATION

The first step in building a strong IR plan is to determine whether the organization should establish an internal incident response team or outsource the function as part of the larger cybersecurity strategy. Either way, it’s critical to clearly define roles and responsibilities for maintaining and executing the plan, as well as to identify an owner and a clear chain of command. 

In addition, organizations should establish a computer security incident response team (CSIRT) with the necessary experience and technical skills. The responsibility for incident response is not limited to the IT function; an effective IR plan should be developed and promoted across the organization. This will require having relationships and lines of communication in place between the IR team and other groups, both internal (such as legal and public relations departments) and external (such as law enforcement agencies). 

Business, information technology, and information assets, including personally identifiable information (PII) and confidential and proprietary data, should also be formally assessed at this stage and prioritized for criticality to business objectives. Where third parties are involved in collecting, handling, processing, and/or storing sensitive data, take steps to understand, verify, and monitor their IR practices as they relate to your relevant systems and data.

Next, establish the types of events or impacts that will be considered security incidents and will trigger the IR plan, such as unauthorized attempts to access information assets or destruction, loss, or theft of data, devices, or equipment. The IR plan should also establish criteria and processes for notifying customers, partners, donors, regulatory boards, third parties, and law enforcement of security incidents and/or data breaches. 

Once developed, the IR plan should be thoroughly validated and tested ahead of implementation using tabletop exercises and drills. It’s also critical to make sure that the plan works in concert with other policies and plans, such as those for business continuity, disaster recovery, and emergency communications.

Other key considerations: 

• Provide for ongoing employee training and education regarding the IR plan. 
• Make sure that contracts are based on reciprocity and service-level agreements. 
• Involve legal representation, and establish whether attorney-client privilege should be invoked. 
• Proactively and regularly communicate risks and IR plan updates to senior management and the board.

DETECTION AND ANALYSIS

Among detection and analysis capabilities, monitoring of network and system activity is critical to detecting incidents and attacks, both attempted and successful. Implement a security information and event management (SIEM) or other security solution to automate security monitoring, data analysis, and alert notifications when suspicious activity is detected. File integrity monitoring software, for example, can help identify changes in sensitive files. Monitor alerts and review logs for anomalies or suspicious trends or activities performed on applications, memory, operational systems, and network devices.

Other key steps:

• Calmly adhere to and execute the IR plan if a security incident is detected, including timely and accurate internal and external communication about it. (If public disclosure is required or there is a potential for legal action, be sure to involve your legal team right away.) Hastily communicated risks can result in inaccurate or incomplete information that may require future clarification and create confusion or mistrust among customers and stakeholders.

CONTAINMENT, ERADICATION, AND RECOVERY

Containment of an incident will require fast action. Move quickly to disable access for affected computers and user accounts, and change their passwords. Also be sure to capture incident data and the current state for sound forensic analysis – NIST recommendations include “running carefully chosen commands from trusted media” and making full forensic disk images as system snapshots  –  and follow practices that ensure the chain of custody. 

Other key steps: 

• Revoke compromised and suspect user accounts and backdoor access. 
• Move quickly to eradicate malware and patch system vulnerabilities. 
• Validate that networks and systems are fully secure and operating as expected. 
• Use discreet channels of communication during an incident, and avoid channels that may be compromised, such as email, enterprise messaging applications, and VoIP (Voice over Internet Protocol).  

POST-INCIDENT ACTIVITY 

If there is an upside to security breaches, it’s that organizations can review their responses and apply lessons learned to understand known issues and vulnerabilities and improve incident response in the future. Assess the cause and the impact of the attack: Take inventory of what happened, responses, efficacy of the responses, and the results and impact. 

Other key considerations:

• Notify relevant parties as required by applicable laws and regulations if the incident resulted in a breach of sensitive or confidential information. 
• Legal representation should have already been involved by this stage; continue to communicate closely regarding any fallout from the incident. 
• Perform periodic independent assessments after a real incident or test event in order to address issues and vulnerabilities, and strengthen the IR plan.
• Maintain and update the incident response plan as needed, such as when changes in technologies, service providers, personnel, or standards and/or regulations occur. It will also be necessary to update the IR plan when risks, risk appetites, and/or recovery objectives change.

NEXT STEPS

The actions outlined above should put your organization on a good track to develop a strong IR plan. Once you have one, be sure to test it regularly: Consider scheduling a quarterly test of processes and procedures. And don’t stop at your own plans; work with third-party partners and vendors to manage security, stress the importance of carefully vetting one another’s cybersecurity capabilities, and establish communication protocols to be used in the event of a suspected or actual breach.

For more information, read the NIST’s full Computer Security Incident Handling Guide, or contact our team.