May 2024 Volume 6

OPERATIONS & MANAGEMENT

The Importance of a Cyber Incident Response Plan By Jim Kerr

Developing a strong cybersecurity stance takes a layered approach. To be effective, it requires a smart combination of three elements: • A positive cybersecurity culture (people – see more in the November 2023 issue of FIA Magazine) • The right proactive and reactive tools (technology – see more in the January 2024 issue of FIA Magazine) • Knowing what to do in case of an attack (process – your cyber incident response plan) It may seem unlikely that your company could ever be challenged by a cyberattack. In the IT world, we know otherwise. Operating with an “assume breach” mentality, we prepare for “not if, but when” a cyberattack occurs. It’s important to take the same approach in your organization. Why a Cyber Incident Response Plan is Important You probably have plans in place to continue business operations in the event of unexpected circumstances like extreme weather, power outages, or even illness. Cyber incident response is a key piece of this continuity strategy. Think of it this way - knowing how to respond to an attack is equally as important as having the tools in place to help prevent one. Plan ning provides the guide to help your team detect, respond to, and recover from a cybersecurity incident. When the event happens, your team will need to respond quickly to contain the damage and restore services. The time you spend up front will put you in a strong position to recover more successfully. This isn’t a time to make it up as you go. The plan helps protect more than the technical aspects of your IT infrastructure and data. It helps maintain compliance with industry regulations and cyber liability insurance requirements, and will also minimize financial loss, downtime, and reputational damage after an event. Your investment in planning for recovery could make or break the future of your company. Take a Best-Practice Approach A good place to start is with the NIST Incident Response Frame work. The NIST framework is one of the most widely accepted tools for cybersecurity planning and response. It breaks down into four main areas: Preparation and Planning Assemble a team (consider key members responsible for IT, legal, HR, operations, communications) who can identify business-crit ical information and systems, classify incident types based on their

potential business impact, and help create the plan. This will be the first-response team when an event occurs. As a starting point, identify your main security risks. Map out how your company would respond to different types of threats. For example, the response to a network-wide data breach is different Continually monitor your entire infrastructure to detect and iden tify threats as quickly as possible. Implement processes to address specifically targeted attacks, such as ransomware or how to respond when a staff person’s email is compromised and starts sending spam. Containment, Eradication and Recovery Depending on the event, your plan will guide the IT team in how to isolate and disable the threat and restore systems. As part of your planning, create action steps including how you’ll stay in touch with your staff, customers and other stakeholders while the IT team is hard at work on the technical side. You’ll likely need help from your attorneys, communications team, insurance providers, and possibly law enforcement. Post-Incident Activities Evaluate the strengths and weaknesses of your team’s response. Bolster any technology gaps or staff training. Address any potential negative impacts of the event on your staff and customers. Revisit and update your plan regularly to keep it relevant and ensure its effectiveness. Tips to Get Started A simple plan is better than no plan, so don’t wait. Start where you are today. Over time, your plan may become more detailed depending on how your IT environment changes or as new threats develop. Here are four steps: 1. Make incident planning a priority and establish an incident response team. Identify a planning facilitator and key members from various departments to begin the planning process. 2. Identify threats and vulnerabilities to your organization. Prioritize these and decide how you would respond if the most likely events occur. 3. Develop response procedures. Create a playbook with clear instructions and areas of responsibility for each member of the incident response team. 4. Review the plan annually. Technology tools and circum stances change. Make sure your plan is current. than for an email click. Detection and Analysis

FIA MAGAZINE | MAY 2024 62