301.519.9237 exdirector@nesaus.org

12.10.18 – CI –

Incident Response Plans are the most valuable asset to have in the event of a data breach. Having a good one will earn the trust of clients, too.

Cyber crime is on the rise. Data breach and cyber attack incidents have become more diverse and numerous, and their impact more damaging and disruptive. It feels like every other day, there is news of a large corporation getting hacked and/or losing some of your personal data. It is not a matter of “if” you will be impacted, but “when”.

This is why it is so important for corporations and organizations to have a cyber security AV policy in place, along with an Incident Response Plan (IRP), and the right team of people who know how to react appropriately, often called the Incident Response Team (IRT).

Once a threat is detected, the IRP acts as a road map, allowing the IRT to take a systematic approach to solving the problem, documenting everything along the way, and minimizing human error.

This reduces losses and downtime after a data breach. The other big advantage is that, following an incident, evidence that the cyber security policy, including IRP and IRT, were in place will be useful should the attack lead to legal proceedings.

Ignorance is no excuse when it comes to cyber security.

Negligence can result in costly fines, lawsuits, and/or time in prison, all of which can negatively impact a company’s reputation.

There are many variations, but the best Incident Response Plans typically include the following steps:

1. Analysis

Is it a false positive? The IRT should review the logs for vulnerability tests or other abnormalities. What systems have been attacked? What stage of the attack? What is the origin?

2. Containment

Provides time to determine the next steps, while limiting the spread, and the impact. Your team should isolate the system if possible and make a backup for forensic investigation.

3. Communication

Alert everyone on the Incident Response Team including IT, HR, Legal, Operations and Management representatives.

Should law enforcement/FBI be contacted? Experts like FireEye? Third party vendors? Industry peers? How soon should you alert the public?

The laws vary by state in the US. In the EU, the GDPR says within 72 hours.

Your IRP should include a detailed cyber crisis communication plan, detailing who should be contacted in case of an attack, what message that will be conveyed to them, and who has the authority to communicate on behalf of the organization.

4. Eradication

Scan all systems for malware. Isolate and disable all accounts and components that have been compromised. Remove access to systems by suspect employee logins. Change passwords, apply patches, and reconfigure firewalls.

5. Recovery

This can take a while, so you need to prioritize what systems are most critical to resume functionality

6. Post-event analysis

What was the dwell time? (time from data breach to recovery) Are changes to policies, procedures, or equipment in order? How effective was the incident response plan? Then, test the revised IRP using simulated attack.

In conjunction with having an incident response plan, organizations need to provide adequate cyber awareness training to all employees, not only explicitly telling everyone what to do, but what not to do, in the event of a data breach or cyber-attack.

Setting guidelines for communicating with outside parties regarding incidents is key. You don’t want someone in your organization tweeting “WE ARE GETTING HACKED!!!”, followed by a dozen hashtags, do you?

About the Author


Paul Konikowski, CTS-D, is a Consultant at Command Systems Group, LLC. [hyperlink to www.commsystemsgroup.com ] where he currently designs and coordinates audiovisual installations for military bases. Paul earned his Bachelor of Science in Computer Engineering from the Georgia Institute of Technology (Georgia Tech). He can be reached via Twitter at @PKaudiovisual or via email, pkav.info@gmail.com