How to Create An Incident Response Plan
As cyberattacks on small businesses continue to rise, retailers, distributors, and manufacturers need to have a strategy to protect sensitive data and keep operations running should a breach occur. Here’s how to develop a winning cyber defense plan.
By Todd Smith
Conducting business digitally is the key to future success, but it also leaves small businesses more vulnerable to cyberattacks as enterprises store more data in the Cloud and sensitive information is shared more widely via the Internet. Astra IT, Inc., a platform that identifies and manages web, API, and Cloud vulnerabilities, notes that small businesses now account for 43 percent of cyberattacks annually; nearly half of those attacks are made on businesses with 1,000 or fewer employees. And while the cost to small business owners due to cyberattacks averaged only $25,000, many businesses paid much more. More concerning is that these attacks are continuing to climb.
Cybersecurity company Crowdstrike cites data released from the 2023 Internet Crime Report that says, “the latest figures released by the FBI’s Internet Crime Complaint Center (IC3) reveals that the total number of cyberattack complaints within the U.S. alone reached 880,418—a 10 percent increase compared to the previous year. The data also shows that estimated losses from reported attacks exceeded $12.5 billion USD—up more than 22 percent year over year.”
Fortunately, you can take steps today to harden your company’s cybersecurity defenses, many of which are low cost. The first is creating an Incident Response Plan (IRP). This plan should establish guidelines for how to reduce the chance of an attack; how to respond should a security breach occur; and what to do after an attack has happened.
Establishing an IRP is important because it can help limit how long your business may be interrupted while minimizing damage. Other benefits include clearly identifying key stakeholders so employees know exactly who to turn to in an emergency; aiding in the digital forensic process to track down where the problem occurred and who the perpetrator might be; and minimizing negative publicity and reputational damage.
If you’re attacked, your email, chats, and database may be inaccessible. This is why IRPs should always be widely distributed in writing and reviewed regularly so employees know what to do. Think of your IRP as a “living document” that can be amended and updated as technologies advance and the threat landscape evolves.
Plan Now
The World Economic Forum notes that 95 percent of cybersecurity breaches are attributed to human error. Limiting employee access to sensitive data, changing passwords frequently, using two-step authentication, firewalling your network, and storing sensitive data separately are low-cost steps you can take right now to bolster your cyber defenses and reduce human error.
Regular training sessions that educate employees on how to avoid opening the door to cybercriminals are another inexpensive way to beef up network security. Training staff members properly with regular refreshers will soon have them instinctively asking, “Is that email from a customer or vendor requesting network access or security information legitimate, or is it a bad actor phishing for a way to attack our network? Is that file I’m about to drop on the server from an outside source malware free?” Creating a culture of security and rewarding those who put their hand up to identify a suspicious file or email—even if it turns out to be a false alarm—will greatly increase your defensive posture.
Establishing a relationship with an outside cybersecurity firm is another simple step to take before something happens. These experts can be invaluable in stress testing your system and helping you conduct a proper IT risk assessment. You’ll also feel better knowing that a trained team of professionals has your back should a breach occur. The NSSF offers an excellent FFL Risk & Security assessment program specifically tailored to those in the firearms industry. (nssf.org/retailers/ffl-risk-security-assessment)
Plans should also be reviewed by your legal counsel because they may have specific requirements that you’ll want to incorporate into your plan. Establishing point people so that everyone knows how the report structure works in the event of an attack is critical. This should include a list of key people to contact, which might involve your executive team, local law enforcement, shareholders, board members, bankers and investors, key partners or customers, and the outside security firm that can help you manage through a breach.
Trying to draft a response when all the red lights are flashing is not smart, so have a generic press release ready that can be easily adapted should a breach occur. Professional sports team practice constantly. You should too. Conduct mock attacks regularly and see how your IRP (and your team) works. And be sure to solicit feedback from all of your team members afterward so that weak points can be identified and addressed.
What To Do If You’re Breached
In today’s digital landscape, breaches are inevitable. The steps you take now to lessen the impact, however, can save you money, time, and minimize damage to your professional reputation. This is when having an IRP can be a lifesaver.
Four key steps to take are:
1) Identify which systems are affected. This is when having critical data sections that are separated from your mainstream network either physically (with sensitive information residing on a separate server or backed up offsite) or via firewalls that divide your network into sections is important. This is another example of where working with a professional cybersecurity partner can pay big dividends in tracking down where the problem lies.
2) Contain the attack. Disabling or shutting down the effected devices is important. You may also need to close portions of your network. You’ll need to weigh these decisions against how this will affect the continuity of your business.
3) Address the problem. Are there specific devices that are infected with malware or are there files that need to be scrubbed? Can you take these devices offline so you can get operations moving again? Has any of your core business data been compromised? Again, your cybersecurity partner can be a huge help in isolating the problem and getting you back up and running again.
4) Restore operations. Before you bring your network back online, be sure that everything is carefully documented so that you can safeguard any evidence for further investigation while also providing a solid reference to shore up any areas of weakness. Establishing a solid chain of evidence will also send a strong signal to auditors that you have taken this incident very seriously and that you’re doing your level best to avoid any kind of data breaches in the future.
Equally important is creating a timeline of when and where the incident began, how you dealt with the problem, and when you resumed operations so you can be better prepared for future incidents.
The Day After
Sitting down with your incident response team for a thorough post-mortem is paramount, and it should be done in an open and forthright way without finger-pointing. Survey your staff: what went right, what went wrong, and what areas of weakness need to be addressed to avoid attacks in the future?
Cybersecurity firm ioSENTRIX has a great blog devoted to creating a solid incident response plan. As part of the post-mortem exercise, they recommend that the point person on your incident response team relay the following information to your staff: incident timeline; response metrics, including mean time to discovery (MTTD) and mean time to repair (MTTR); impacts on data, systems, business operations, customers, and employees; and containment and remediation actions taken.
Hopefully, you’ll never have to experience a cyberattack, but knowing you’ve done all you can to prepare for the possibility and having a clear game plan for what to do should a data breach occur will provide peace of mind for both you, your customers, and your employees.
Creating an Incident Response Plan
Creating an IRP takes time and thoughtful consideration. Here are some excellent resources that can help.
The Cybersecurity & Infrastructure Security Agency: cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf
The National Institute of Standards & Technology: csrc.nist.gov/pubs/sp/800/61/r3/final
The Federal Trade Commission: ftc.gov/business-guidance/resources/data-breach-response-guide-business
Hyperproof: hyperproof.io/resource/cybersecurity-incident-response-plan/
OPSWAT: static.opswat.com/uploads/banner-images/SolutionBrief_IncidentResponse_LTR_EN.pdf