This article has been updated to reflect more recent data breach statistics.
The IBM Cost of a Data Breach Report revealed that the average total cost of a breach soared to $4.45 million, an increase of 15.3% from $3.86 million in the 2020 report.
The report also found that having an Incident Response (IR) team and an Incident Response Plan (IRP) that was regularly tested led to significant cost savings in the event of a breach. Organizations that had an incident response team and regularly tested their plan identified breaches 54 days faster than
those with neither. This statistic should help security teams validate the cost savings and effectiveness of IR capabilities.
As you review your organization’s incident response plan, below are five key items CampusGuard often finds that are lacking during the facilitated tabletop exercises:
-
Awareness and Access to the Incident Response Plan
Most organizations develop an incident response plan at some point, but how often is it reviewed and updated? And do all pertinent staff know where to find it? It is important for all key team members, as well as executive leadership, to become familiar with the incident response plan and understand their individual roles and responsibilities. The current version of the plan should be stored in a central location (both online and offline!).
-
Help Desk Triage/Playbooks
As your help desk will probably be the first point of contact for any users to report a suspected incident or compromise, it is important that all help desk staff are trained and understand when to activate the Incident Response Plan or how to escalate to the appropriate staff members. Create a checklist for your help desk to help triage incidents and determine priority/risk level and immediate steps that should be taken based on the data types impacted, severity, etc. You may want to develop clearly defined playbooks for incidents like a phishing email, account compromise, malware on a workstation, etc., so the help desk has documented steps to follow and can direct end users appropriately on when to shut down machines, disconnect from the network, etc.
-
Communications List
Develop an inventory of all internal and external contacts and associated contact procedures. For example, it should be easy to locate information for cyber insurance companies, forensics teams, card brands, local law enforcement, FBI, Department of Education, etc., so that during an incident, the team is not scrambling to locate documents or emails with contact details. You should also have a documented call tree/list of internal staff contacts that will need to be notified in the event of a security incident and ensure this list is in a central location that is easily accessible (and accessible if online/cloud-hosted systems are down) for those that need it. This will include contacts in IT, security, legal, communications, public relations, public safety, etc. Assign backup contacts for any key personnel so critical decisions can be made quickly. Empowering your incident response team members to make decisions during an incident is also important so they can act swiftly to shut down or block services as needed.
-
Incident Tracking Document/Tool
Before an incident occurs, ensure processes are defined for assigning an incident handler and how resources will be coordinated to track all actions taken. Whether this is within an internal ticketing system, an accessible Google document, or another, having this defined within the IRP will eliminate any confusion during an incident. It is important that all steps during the investigation are documented so this information is available as needed to share with outside teams, your cyber insurance company, the board, etc. It will also be helpful to be able to review how the incident was handled and identify any potential gaps in the process as you are reviewing lessons learned following the incident.
-
Plan for Critical Resources
What would happen if your organization’s payroll system went down? Or the student information system? Update and regularly review an inventory of critical systems (including physical infrastructure) and related service-level agreements. Develop expectations for availability and establish thresholds for disabling these systems, how long they can be down, the ability to fully restore from backups, etc. Having clearly defined thresholds will help IR team members make decisions during an incident. Involving business owners in these systems and applications in future tabletop exercises is also important so they understand their role in a potential incident that impacts system access.
As your teams review and update your incident response plan, reach out to your dedicated CampusGuard team for assistance. CampusGuard can also help create and facilitate tabletop exercises with your information technology and security teams, or plan for an exercise that involves other key players like the help desk, communications, legal, leadership, etc. It is important to have a comprehensive and up-to-date IRP, but it is even more important to test it so you can identify any failures before you face a real incident.
Additional guidance from the CampusGuard Security Advisor team below:
[Bivens]: Whenever most airplanes are flown, they carry—within reach of the pilot—a manual with emergency procedures covering everything from a dead engine to landing gear that won’t work. During an emergency, seconds count, and the one thing you do not want are crewmembers who don’t know what to do.
Information security emergencies don’t—usually—risk lives, but a bad actor inside your network is still A Very Bad Thing™ that can cost organizations a great deal of money, time, and data. Worse, if people’s personal information is stolen, public trust in your organization can be badly damaged.
In this age of the Cloud, don’t forget your remote resources, either. If you use AWS, Azure, or another Cloud service, does your Incident Response Plan (IRP) include steps to check and protect your Cloud properties? On-premises (data center) resources are easy to isolate with a quick firewall rule change or by disconnecting a trunk cable—protecting Cloud services may require more preparation.
Like an aircraft pilot, when minutes matter, having everyone pulling in the same direction can keep an incident from blossoming into a disaster. Frequently checking your IRP for accuracy is a vital part of good preparedness, and rehearsing the incident-resolution process—with all the key players—is a crucial part of maintaining your IRP in good working order.
During the stress of a crisis, a comprehensive IRP that is readable, familiar, and up to date is worth its weight in gold, and I recommend everyone have one to help guide them through incident mitigation to a successful recovery.
