Building an effective incident response plan: a comprehensive guide

The latest report from the Australian Signals Directorate (ASD) found that cyber crime reports increased by 23% in FY 2023, with 94,000 incidents reported. On average, that’s one report every six minutes. Your business cannot be without an incident response plan in this current environment and should be prepared to experience a breach at some point. This is not just a scaremongering tactic; when building an incident response plan, assuming a breach places you in the right mindset to act and prepare your business.?

Best practice frameworks also emphasise the need for an incident response plan, with the NIST Cybersecurity Framework including 2 of 5 categories that focus on responding and recovering from an incident.

An effective incident response plan helps your organisation manage the impacts of a breach, recover from it and continue operations with minimal disruption. In this blog, I have covered the key points to understand when building an incident response plan and what the process covers.

Discovering that a threat actor has breached your environment

The time taken to identify a breach will vary depending on the type of attack and how you discover it. For example, between July and December 2023, it took up to 10 days for 61% of Australian organisations to discover malicious or criminal attacks. These were likely attacks where the threat actors made themselves known. Breaches that use covert approaches can take longer to find.

Your organisation will likely discover a breach in one of three ways:

Scenario 1: A threat actor notifies you that they have compromised your organisation, typically after stealing your data. For example, they leave you a ransom note demanding payment and using the stolen information as leverage.

Scenario 2: An accidental discovery where internal IT staff or external providers notice anomalies suggesting unauthorised access, such as unknown user accounts or suspicious administrative activities. A team member will likely discover an issue during routine checks or from alerts triggered by abnormal system behaviours.

Scenario 3: This is the ideal scenario where your security team detects something via continuous monitoring. Early detection reduces the impact of a breach and makes it easier to contain and remove the breach.

Time taken to identify data breaches by breach type – July to December 2023

Questions that incident response planning should address

Your incident response plan must include processes to address the following questions:

• What do we do? Define the people responsible for executing the incident response plan and understand precisely how you will react.
• What data did the threat actor steal? Determine the data compromised to assess the breach’s severity.
• Who do we notify? Your incident response plan should specify the people you must notify, such as internal stakeholders, customers, partners and regulatory bodies. You will also need to notify your cyber insurance provider.
• How did a threat actor breach our business? Your organisation must undergo a thorough investigation to trace the attackers’ steps and identify exploited vulnerabilities to prevent future incidents.

Preparing for the direct and hidden costs of an incident

Known costs are the direct, immediate expenses that arise following a cyber incident. Even with cyber insurance, you do not have all the costs covered. Your insurer or Security Operations Centre (SOC) may cover the costs of conducting forensic investigations and restoring systems to operational states. Cyber insurers typically do not cover the cost of ransom payments.

Hidden costs, while not immediately apparent, can be substantial and long-term. A data breach erodes customer confidence and deters potential clients, negatively impacting future business opportunities and revenue streams. Staff attrition is another hidden cost following an incident. While the hidden costs will arise regardless of your preparedness, an incident response plan can help you respond quickly and potentially reduce their severity.

Notifying relevant parties of the data breach

Your organisation may need to notify your cyber insurance provider and anyone affected.

Notifying your cyber insurance provider

In most cases, you must notify your cyber insurer immediately after identifying a breach. Failing to notify your insurer can compromise your coverage, with many policies stating that you must inform them of any incidents. Many businesses hesitate to notify their insurer due to fears of premium increases; however, these typically only occur if the notification results in a claim and will depend on the breach’s severity and impact, as assessed by the insurer.

The Notifiable Data Breaches (NDB) scheme

The NDB scheme mandates that organisations experiencing a breach must notify affected individuals if the breach could result in serious harm. Notifiable breaches include unauthorised access and disclosure or loss of personal information. An organisation should assess the breach’s severity, determine the type of data stolen and inform those affected.

How your business can prepare for a cyber incident

Understand the assets and data that need protecting:

1. Identify critical assets such as computers, servers, intellectual property and customer information.
2. Conduct risk assessments to understand the potential impact if a threat actor compromises these assets.
3. Develop appropriate mitigation strategies to handle identified risks.

Monitoring your systems:?

1. Implement monitoring tools that alert relevant people to unauthorised access or system anomalies.
2. Keep detailed logs of incidents and system activities to support real-time analysis and facilitate continuous improvements in security measures and response strategies.
3. Establish a Security Operations (SoC) team responsible for managing these alerts and overseeing system security.?

Restoring business-as-usual:

1. Develop clear protocols for notifying internal management, affected customers, partners, and regulatory bodies to manage reputational risk and avoid penalties.?
2. Formulate a comprehensive system restoration plan that includes data recovery and necessary software reconfigurations.
3. Regularly update the incident response plan with new insights and evolving threats to minimise downtime and ensure business continuity post-incident.

Conclusion

Your organisation needs an incident response plan to recognise and respond to threats to minimise damage. By preparing effectively and responding quickly, your organisation can significantly reduce the costs of cyber incidents, preserving business continuity, customer trust, and overall organisational resilience.

RODIN can develop and test your incident response plan

At RODIN, we take a proactive approach to cyber security. Our specialists develop and measure the effectiveness of your incident response plan to ensure your organisation can meet ever-changing threats. Even after developing the strategy, we consistently re-evaluate the plan to ensure your business stays ahead. Visit our Cyber Security Services page to start your journey.