Leave Improv to the Actors – Incident Response Planning for Small and Midsize Business
In the current landscape of relentless cyber attacks, it’s no secret that having a robust incident response plan is not just advisable—it’s essential. The statistics are stark, and as a savvy business leader, you’re already aware of the risks. But let’s talk about readiness. It’s not about if a breach will happen; it’s about when. And when it does, the fallout can be catastrophic.
So why does it seem most small and midsize businesses are “winging it” when it comes to managing an incident? Maybe this is perfectly acceptable if you have taken the time to identify that a cyber breach would have little to no effect on your business. You are living my dream if that’s the case. Please skip the rest of this article and enjoy your day. For the rest of us, is “winging it” really in our best interest?
Let’s step back for a moment. I think it’s useful to build a better understanding of the different types of response plans.
Incident Response, Disaster Recovery and Business Continuity can sound like they would be the same thing. For the most part, they all serve a common purpose of managing and recovering from critical events. But they are uniquely different.
Business continuity is the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident (Wikipedia). It’s what we do as a business to minimize and overcome an interruption.
Disaster recovery involves a set of policies, tools, and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a critical failure. Disaster recovery focuses on the information technology or technology systems supporting critical business functions as opposed to business continuity (Wikipedia). It’s how we recover from a technology failure.
Incident response is generally a combination of business continuity and disaster recovery plans specifically prepared for responding to and recovering from a cyber incident.
Preparing these types of plans may sound intimidating, but they can offer a lot of value over improvising a response that can be as important as a business surviving an incident.
Where do I start?
If you are a small or mid-sized business without a plan, I recommend you get started. Like other complex items, I often advise organizations I work with to crawl, then walk, then run. What I mean by this is that you are better off having something over nothing. A plan doesn’t need to be perfect. I would rather see you invest a little bit of time to have something, rather than no time at all and have absolutely no plans to lean on when you need them most. You can improve your level of preparedness over time.
An important item to know, a lesson learned by many after going through an incident, is that an incident response is not a technology response. It’s a business response that not only leans heavily on technology, but also communications, department heads, possibly legal and privacy, and ultimately the cooperation of all staff.
The strength of an incident response plan is not measured in pages either. In my career, I’ve benefited more from straightforward, cut-to-the-chase plans.
Let's Crawl > Walk > Run:
Crawl – Identify those who will be tasked with managing an incident. Call this your incident response team. Have a meeting with these folks and inform them of their role in an incident. Identify any 3rdparty support you may require including IT service providers, communications support, legal counsel, and cyber insurance. Document this and make it available to the team. Your response will benefit from the critical thinking of this team.
Walk – Expand on your plans by identifying pre-planned activities and decisions for different types of scenarios. This should include what technical steps would be taken, when would you engage external response services, what is your position for paying a ransom, and whether you would engage local authorities. A communication plan that identifies who would you inform, when would you inform them, and with that information is also crucial. You will also want to identify any entities you are required to notify such as regulators and partners.
Run – Expand your plan with pre- and post-incident activities. Pre-incident – perform routine tabletop exercises. This important exercise identifies gaps in your plans which can be improved on and prepares both your plans and teams for a real event. Post-incident – gather as an incident response team following an incident. Identify lessons learned and incorporate improvements.
If your organization is not in a position to prepare these plans, lean on a business technology advisory firm like ourCIO whose advisors can champion this on your behalf. You can’t predict when it will be, but when it happens, you will be thankful you are ready.