The Importance of an Incident Response Plan

True story: An employee clicked on an email from someone she knew. Shortly after, she had a brief computer glitch which required her to enter her username and password to get back in. Odd things have happened before, so she thought nothing of it. Unfortunately, that email was a phishing expedition that captured her login credentials. Armed with a valid username and password, hackers had access to all of the company’s confidential information as well as the ability to send emails to the company’s business affiliates and fool them into giving away the keys to their business.

The results of this occurrence could have been disastrous. Mark Torello, partner-in-charge of technology at the Connecticut-based technology and business consulting firm, Whittlesey, says “a full breach would have cost the company $150,000 to remediate, not to mention immeasurable operational and reputational damage”.

Fortunately, the company had recently worked with Whittlesey to implement cybersecurity controls and create an Incident Response plan to deal with just such an attack. Following the Incident Response Plan, Whittlesey locked down the entire network, performed a forensic investigation, quarantined the attack, and prevented infiltration that would have fit the legal definition of a reportable “breach”.

“Having the Incident Response Plan made the difference between filing an incident report in a folder and a full legal breach that would have required notification to the attorney general, spending thousands of dollars on credit monitoring and the dreaded public acknowledgment of a breach,” Torello says.

Whittlesey counsels businesses to proactively protect themselves. The first step in that process is to have a cybersecurity risk assessment performed. A cybersecurity risk assessment will provide a roadmap to best practices in protection. That process will also uncover whether your Incident Response Plan is sufficiently designed to mitigate the effects of an incident or prevent a larger scale breach.

1. Prevents the damage from getting worse

An Incident Response Plan provides an action plan of steps to take immediately following a cyber attack. Because many breaches continue to live on internal networks for months or years, acting swiftly is critical to mitigating the impact.

2. Defines and prioritizes the required legal and technical process

The Incident Response Plan provides essential information to help the business conduct their response to an attack. A well-developed plan will walk you through the required steps to determine if the incident was just a scary screen message or the dreaded B word (breach). An Incident Response Plan should include legal definitions, who to call in order off importance, the process for responding to an attack/incident, and reporting requirements should an incident be determined a breach.

3. Provides the template for required documentation of the response known as an Incident Response Form, this includes:

a. Incident details
b. Initial steps taken to quarantine the incident
c. Investigation steps taken
d. Extent and those affected
e. Determination if incident is a breach
f. Steps taken to prevent incident from happening again

“Simply developing a plan is just the beginning”, Torello says. Companies must offer ongoing training to staff, and review and refresh the plan at least annually, so it doesn’t simply collect dust on a shelf”.

In business today, it is not a matter of whether your data network is going to get attacked but when and how badly. While it is incumbent on every business to build a wall and moat around its networks, planning a response against the inevitable attack is just as critical.

If your organization is due for a cybersecurity assessment, or if you lack an Incident Response Plan, contact Mark Torello. Whittlesey is one of the largest advisory, accounting, and technology firms in New England.

A previous version of this story was first published by the Hartford Courant.