EO Advisor

You’ve been hacked! What now?

Incident Response Policies and Plans
Developing a Security Incident Response Plan

A malicious cyber-attack that pulls down your system and blocks access to data is as much of a crisis as having your building on fire.

You want to be able to “break the glass” and pull the alarm knowing that a very well-organized response plan will kick in right away. 

Having helped clients recover from malicious incidents, we can say that it helps a lot when this is not your first rodeo. The difference between a well-trained surgeon performing emergency surgery for the first time and a surgeon who has performed the operation under real-world conditions a few hundred times is significant. The same goes for IT incident response. 

There is no level of protection software that guarantees that an attack incident will never happen. It’s just way too hard to always stay out in front of the bad actors, especially in the new era of sophisticated phishing attacks. 

Incident Response Readiness

Recently, we leveled up our own Security Incident Response Plan (SIRP) with fresh documentation and clear team assignments. The response plan is designed specifically for our organization—as a large IT managed services provider with a diverse range of clients. By definition, we are a high-value target for bad actors.  

Note: Many of the most sophisticated and malicious hackers operate out of Russia. The current geopolitical unrest has put the whole world on high alert for cyber-attacks. 

A Policy and a Plan 

A strong security incident response plan details: 

  • what steps to take in the event of an attack,  
  • when to take those steps, who is on the response team, and  
  • what each team member is responsible for doing in the heat of the moment.  

Incident response planning is what makes the policy valuable—otherwise, it’s just a useless stack of paper, and time wasted by whoever compiled it. We conduct drills to make sure every team member does much more than just read the document. We practice so that we respond correctly when the crisis is real. 

The discipline of practicing for IT incidents is called Red Teaming. The “Red Team” are good folks who create artificial scenarios of malicious attacks. The Incident Response Team then goes through exercises that thwart various attacks from the Red Team. 

No matter how much experience a tech engineer has, conducting drills and rehearsing is the fundamental best practice that makes an incident response policy effective when a crisis happens. The challenge is to constantly keep even the best tech people from becoming complacent because of their confidence in their own skills.

A good Red Team keeps us humble.  

Building a Team 

The incident response team will include a senior technical officer as the Incident Response Leader. The leader is supported by a small technical team, usually an HR manager and a business manager. Teams are dynamic depending on what is being attacked and/or which client is involved but the specific team members must be identified in advance and know their individual roles and responsibilities.

Back-up team members should also be clearly identified. Malware attacks often occur on holidays because the bad actors know there is a better chance that response teams will be harder to pull together.

Sharing Our Experience 

We help our clients develop an incident response plan that is appropriate for their circumstances. For example, a local MRI and X-ray imaging provider has very different needs than a manufacturer with operations in six countries.  

Our disciplined ability to respond effectively when attack incidents happen is one of our most valuable assets. We believe that these skills give us a competitive edge in the IT MSP industry. In the spirit of EO Advisor, we believe that incident response planning is something all companies should pursue, even if they work with our competitors.

Click here to download our guide to incident response preparedness.

The goal is to live our lives and run our businesses without fear, even though we know that dangers are persistent. When it comes to business information and systems, there is a lot that can be done to insulate from the danger. Unfortunately, even the best defenses are imperfect. Knowing how our team will go on the attack when our business is breached is perhaps the most empowering feeling of security we can achieve.  

Did we miss something? Do you have questions? How can we help? Please click here if you want to join the conversation. 

Like this article? Read more news about .