Incident response: planning for when things go wrong
Sometimes things go wrong and a security incident will rear its ugly head. It's good to be prepared for this kind of event. You'll need a clear plan to help you navigate through what could be a stressful time.
What to do after you identify a security incident
1. Call in reinforcements
As a small or medium business, you might not have internal IT expertise. Even if you're an IT expert yourself, during an incident you'll have to stay focused on your business, while others focus on the incident.
Prepare a contact list of people who can help you after you identify a security incident. Your contacts should be able to help you make technical, legal, and business decisions. They may also be able to help you resolve the situation. Your contact list should include:
your IT service provider or IT support consultant
any third parties that you share data or systems with, and
a public relations firm.
TIP: Make sure the people on your contacts list know that they're on it. Have a discussion with each of them to talk through:
what your incident plan is
who else is involved
what scenarios you're likely to find yourself in if there's an incident
where they'll need to provide help.
This could result in new or modified service contracts with these providers.
TIP: If you don’t have one or more of these contact types on your list, now's the time to look for one. It's important to have contacts on hand who are already aware of your business — it's much easier than trying to find help during an incident.
The NZ Law Society can help you find a lawyer in your area, and the Public Relations Institute of New Zealand (PRINZ) can help you choose a public relations advisor.
2. Tell your staff
When you’re faced with an incident and need to send communications out to the public — or worse, you find out that they knew about it before you — you need to talk to your staff. They’re your front line for the incoming wave of customer questions, concerns, and statements. They need to be aware of the incident and know how to react to it.
Prepare a guide detailing your company’s incident plan and your key contacts, and share it with your staff. The guide should tell them:
who to get their incident information from
what they can or can’t say during an incident
where they should point customers or the public to so they can report their questions and concerns as quickly as possible.
TIP: Sometimes an incident doesn’t come from an external source. If your staff notice something that should be considered a security incident, they should be aware of the incident plan and know who they can report it to.
3. Break the news to your clients
The hardest part of an incident will be preparing and sharing communication to your clients. Once you know some details about the incident, you may have to disclose it to your customers. You may want to disclose the incident even if you don’t have to, depending on what it is.
TIP: You and your lawyer need to decide who you’re legally obliged to contact about an incident. You’ll also need to decide who you’re morally obliged to contact. Your communications or public relations firm can help you decide when and how to do so.
Prepare a communications plan that will reach your customers:
privately, by phone, email, or letter
through the media — by putting out a press release, for example
via your website or social media accounts.
Keep in mind that once you notify customers privately, the incident will probably go public. It’s good to have some prepared statements for hypothetical and likely situations.
4. Operate your business as usual under unusual circumstances
During an incident, as the business owner you’ll need to try to operate as normal. Understand what your key business processes are. For example, how does your business operate and does it involve IT and other systems?
Think about how your business could continue to operate if your IT systems were:
under the control of an attacker.
Consider common business critical systems like email or your key operations software. Have some alternative business processes for staff to follow if your IT systems are unavailable or compromised. Your staff can follow these processes (if they’re not handling incident-critical tasks) while the incident is being resolved. This means that your business can continue to operate, even in a limited capacity, while you get the incident under control.
TIP: Identify these key business processes as part of, or alongside, a business continuity plan. These plans will allow you to remain resilient, even when faced with an incident.
5. Reflect on the storm you weathered
When you and your business have withstood the storm and are on the other side of an incident, it’s important to reflect on:
how it happened
how well it was handled.
Reflect on the incident with the people who helped you handle and resolve it. It’s important to discuss it as a group so you can take steps to:
prevent this kind of incident from happening again
decrease the time between when an incident happens, and when you identify it
make changes to any incident handling plans.
These meetings are a great opportunity to highlight 'what went well' when everything seemed to be going wrong. Make sure to cover both the good stuff and the not-so-good stuff.
TIP: Mistakes happen and can cause incidents unintentionally. It’s important to identify when a mistake is the cause of an incident, so you can try to prevent it happening again. Make sure that the mistake is not the focus of your discussion. Discussions should be productive, not about assigning blame.
Key points to consider
- Even if you outsource your IT support, incidents are still your problem. There are several roles in incident management that are not technical or IT-focused. Business owners play a key role in making sure the business survives and in protecting your data and intellectual property.
- Just like preparing for an earthquake, you need to plan ahead for an incident. These situations can be stressful and full of unknowns — having a plan is like having a map to help you navigate. Planning before an incident enables your team to respond quickly and improves your resilience.
- This guide is intended to help you understand how to handle an incident that is known and reported. But, what about the incidents you don’t know about that have not been detected? As part of discussing incident response with your key contacts and IT support, you should discuss your current capabilities for detecting incidents.