Building an Incident Response Plan: How Will You Respond to a Cyber Attack?

Kroll’s latest Global Fraud and Risk Report survey revealed that, while 85% of respondents said they had suffered a cyber attack in the last year, the adoption of internal cyber security policies and procedures to combat the risk is shockingly low. Only 36% of executives surveyed said their company has implemented internal policies and procedures and has plans to expand. An additional 38% have implemented such policies and procedures, but they have no plans to expand. 25% have not implemented internal policies and procedures at all.

Policies and procedures are important because they are an organization’s articulation of what it expects from its employees. Having them in place means employees have somewhere to look for guidance on what they should (and should not) be doing. For example, what information can they share on social media? What should they do if they receive a phishing email or notice suspicious network activity?

Kroll’s findings are supported by a September 2016 report from Lloyds of London on cyber risk, which reported that 92% of European companies have been breached in the last five years, but only 42% were worried about it happening again. Earlier this year, the UK Government Cyber Security Breaches survey found that 69% of UK businesses say cyber security is a high priority, but far less consider it an actionable priority. Only 29% had written cyber security policies, and a mere 10% had an incident response plan (IRP).

IRPs are a crucial component of the fight against cyber crime. They are a company’s first port of call in the event of an attack. The good news is that building one that includes both internal and external players and their various roles does not have to be an arduous task.

Companies should consider building seven important steps into their IRPs:

1. Determine authority to call an incident 
   Designate an individual who has the authority to declare an incident, invoke the IRP, and convene the response team.
2. Assign team responsibilities
   Clearly outline all team roles in the plan so that if an incident occurs, it makes tough decisions easier to make. Choose external advisers in advance and include them in the response and recovery plan. Having to build those important trust relationships for the first time during a crisis is not ideal.
3. Establish communication procedures and responsibilities
   Determine who will deal with external and internal stakeholders and how the information will flow. For example, where will the team meet? In a breach situation, it is important to establish the timeline of the incident and know the scale of the breach before setting the strategic communications plan in motion in motion. Overestimating the scale of the damage could lead to unnecessary panic. Underestimating it might cause additional harm, for example if passwords are not changed before criminals gain access to accounts. In both cases, rushing to make inaccurate statements is likely to have severe repercussions.
4. Gather pertinent information in advance
   Where possible, compiling critical information before an incident is very helpful. Basic details such as the contact numbers of all incident response team members are critical, as incidents often happen outside of business hours.
5. Outline the process
   Teams naturally want to solve the problem when they find it. However, this “dwell” time can be hurtful to an organization and impede the process. We suggest that all the steps—from when the team is convened to the escalation point—are clearly outlined as a robust process. It is important for IT and security teams to know the process by heart.
6. Review and test the plan
   We recommend quarterly reviews and updating as needed. These are good opportunities to update the contact numbers and pay attention to changes in technology or policies that might affect the IRP.

Having an IRP in which all critical stakeholders understand the lifecycle of an incident and have rehearsed it at all levels of the business, including the boardroom, goes a long way towards being prepared to mitigate the damage of an attack.

Learn more about fraud and risk statistics and trends -- as well as innovative risk management strategies and best practices -- in Kroll’s annual Global Fraud & Risk Report 2016/17.