Creating an incident response plan
As a business you’ll know the importance of online systems in running your day-to-day operations, that’s why it’s important to have a plan prepared in case something goes wrong.
Having a step-by-step plan in place before a cyber security incident occurs will help you take control of the situation, navigate your way through and reduce the impact on your business.
We’ve outlined some simple steps to help you evaluate how an incident could affect your business and what you’ll need to consider when putting an incident response plan in place.
1. Get the basics right
While your plan will be dependent on the size, scale and operation of your business, there are some standard elements to consider that will help in recovery.
How you want to document or format your plan is up to you. What’s most important is that:
- it’s written down in hard copy and everyone knows where it is
- it’s easy to access
- it’s short and clear enough to read quickly and easily
- staff are familiar with it before they need to use it.
It’s likely that people who need to use the plan, will need to do so quickly so it’s important that the language is clear and simple, and the steps are easy to follow.
2. Understand what might put your business at risk
There are many possible cyber security scenarios your business could face and creating a plan to deal with them can feel like a difficult task. Take some time to go through a cyber security risk assessment for your business. This process will help you identify the types of incidents your business is at risk of and will also provide mitigations to put in place to reduce the likelihood of the incident happening in the first place.
Focus on these scenarios when creating your incident response plan, so it’s relevant for your situation.
Creating your incident response plan
3. Identify and report an incident when it occurs
A cyber security incident is not always obvious right away. This first step of your plan is to outline a process to help your staff identify and report suspicious or unusual activity that might indicate a cyber security incident has occurred. It should clearly tell them what you want them to do if they suspect an incident has occurred, and who they should report it to.
For example, if you run an online retail store and one of your employees notices suspicious activity on the website, like unusual images displaying or a problem with the payment portal, your process might be that they report this to the manager. The manager then contacts technical support and reports the incident to CERT NZ. It’s important to be clear on this process so that no time is wasted in resolving the incident.
Also in this section of your plan, include what you’d like staff members to do if they receive a report from a customer about something unusual on your website or with a software product.
Depending on the type of business you run, make it easy for customers to let you know if they notice something unusual on your website. Provide a contact email they can send their concern to that’s monitored by the person in your business who is best placed to respond to IT queries.
Once the staff member has notified the manager or IT person, they’ll need to verify:
- whether an incident has occurred, and
- the scale and size of incident and response needed.
4. Determine the incident scale and response required
Different types of incidents will need different responses. In this step of your plan, outline the process you’ll follow to identify the scale of the incident and its potential impact. Being able to identify this early on will help you establish the level of response you will need, the size of the team you’ll need, and what external help you may need to call in.
For example, if a staff member clicks on a link in an email that downloads malware onto their computer, you’ll need IT help to remove it from that computer, and confirm it’s been removed and hasn’t spread to other computers in your business.
Hopefully, it’s a small issue that can be resolved by your IT provider within a day or two, but it could be a larger incident. For example, your customer database is breached and your customers’ personally identifying data appears on the internet.
Consider making a couple of response plans – one for a small incident and one for a larger incident – that way, whoever’s in charge at the time of the incident can reach for the right plan. You can always scale the plan up or down as more information comes to hand, but this section outlines which plan will be your starting point.
5. Establish roles and responsibilities
Knowing who does what in an incident will save time, avoid confusion, and provide staff with a clear idea of what they need to do. Depending on the size of your team, some staff may take on more than one role. In this step of your plan, you’ll need to assign people to the following roles before an incident occurs:
- Coordinating the response: This role leads the incident and takes responsibility for the decision making. The response might require a lot of coordinating and decision making, so the person leading the response shouldn’t be the ‘hands on’ technical person, particularly for a larger incident.
- Investigating the incident: This role has the technical expertise to investigate the issue, contain it and then take measures to prevent it happening again. If it’s particularly complex issue, several people might need to be involved in investigation.
- Communicating to staff: This role is responsible for keeping people up-to-date as the incident progresses. They’ll need to organise regular progress updates to make sure everyone knows what’s happening and what the next steps are. Scheduled progress updates will help everyone keep focused on the task at hand. Any important info should still be shared outside of those times.
- Communicating to stakeholders: This role manages the external communications process – preparing messages to affected customers and shareholders, and possibly a media response. In a larger incident, you may want to call in help from an external communications specialist.
- Managing business as usual: Your business will still need to operate, even if your IT systems are unavailable, or under the control of an attacker. This role makes sure the correct processes are followed that will keep the business functioning as much as possible, and will lessen the impact of the incident.
Make sure staff know about their assigned role and what their responsibilities are – that way they’ll be prepared and know what to do if an issue occurs.
In a small incident many of these responsibilities may be done internally by your IT person and a business manager. In a larger response incident, you may need to use external help to cover the same responsibilities. It’s important to identify who you can call on to fill these roles ahead of time.
If you don’t have an IT service provider and are unsure on what kind of cyber security support and services your business needs, follow our guide to choosing an IT service provider.
6. Maintaining business as usual
Consider what your ‘business critical’ systems are – like email or key operational software. for this step of your plan, develop alternative business processes staff can follow if your IT systems are unavailable or compromised while the incident is being resolved. This means your business can continue to operate, even in a limited capacity, while you get the incident under control.
Identify these key business processes as part of, or alongside, a business continuity plan. These plans will allow you to remain resilient, even when faced with an incident.
For example, if you run a construction company and can’t access your emails, you might not be able to process invoices, confirm orders and communicate with some customers. Your operational processes will be limited and some services, orders and payments will be delayed, which may impact some customers and suppliers. While you deal with the incident, you might want someone else making sure the construction crew are organised and have what they need to continue with their work.
7. Create a contact list
Having names and numbers on hand, will help with a faster response. In this step of your plan, create a contact list of internal and external people who can help you in response and recovery. Go back over your plan and make sure the details of all the people and services mentioned are included on your contact list.
Your contact list would likely include your:
- IT service provider
- banking services
- website host
If your plan involves external support, chat with them while you are developing the plan about the level of support they can provide and time for resolving. You might have vendors to consider as well as your general IT support.
8. Communicating the incident
An incident response plan should cover more than how to resolve the technical issue itself. Once the incident and scale has been identified, you’ll need to communicate this with staff and any affected parties. This step of your plan should include what and how you’ll share this information.
Clearly outline for staff:
- where they will get incident information from
- what they can or can’t say publicly during an incident
- where they should point customers or the public to so they can report their questions and concerns as quickly as possible.
It’s important to have clear and consistent messaging to make sure all staff are on the same page. If you have a large team, you may consider a staff briefing.
If the incident takes more than a day to resolve, remember to keep everyone updated. Many people in debrief meetings mention wanting more updates.
9. Managing the response
Now you’ve planned how to identify, scope and communicate the incident and established the team you need to respond, it’s time to think about what you’ll need as you handle the incident. In this step of your plan, create a list that covers these requirements and any details on how to make sure they’ll readily available. Your list might include:
- resources you’ll need
- a method to quickly approve any expenditure
- after-hours access for staff and external support
- a quiet place to work, particularly for sensitive issues.
Alongside your incident response plan, it’s a good idea to have the response process outlined.
Report any cyber security issues you have to CERT NZ, even if you have it under control. They’re a great second pair of ears, they can confirm you’re on the right track and point out any other tips to prevent it happening again. There might be other businesses with the same issue – CERT NZ can identify this and alert others before they get hit by the issue too.
10. Keep an incident record
During the response, or soon after, it’s a good idea to record when and how things happen, and what decisions are made. In this step of your plan, pre-prepare an incident record document. This could simply be a table where times, actions and decisions are recorded. You may want to assign the incident record keeping to someone in the incident response team.
Having a record will be useful for lessons learned, any insurance claims and/or external investigations. Plus, it’s usually easier doing it at the time than trying to remember and record later.
11. Lessons learned
Every incident is different, and new things are always learned. In this step of your plan, make sure you include a debrief meeting. Plan the meeting to take place after the incident has settled with the key people involved to determine what happened, what went well, and what could be improved.
Set aside some time post-incident to update your incident response plan with any lessons learned from the debrief meeting. You may also want to make changes to your day-to-day systems and processes too.
Practice makes perfect
To get the most out of your incident response plan, set some time aside to talk your staff through the plan and get them on board so everyone knows what to do if an incident occurs.
It’s also a good idea to run through a practice scenario every six months to make sure you’ve recorded any updates to your contact list, roles or policies