Do You Have A Solid Cyber Incident Response Plan?

Do You Have A Solid Cyber Incident Response Plan?

February 22, 2022

Do You Have A Solid Cyber Incident Response Plan?

Cyberattacks have become one of the most prevalent security concerns in recent years, with businesses commonly at the center of the storm. There are frequently stories in the news, telling of customer and employee personal records being exposed, operations being stalled, and more. Financial losses in these instances can surpass tens of millions of dollars.

With so many variable methods of enacting a cyberattack – whether it be malware, phishing, DDoS, or something else entirely – these attacks can be scary, and often leave business owners feeling stressed and confused on how to move forward. There is a light at the end of the tunnel though. When hit with a cyberattack there are steps you can take to minimize the damage, rectify the situation, and prevent further disruption.

One of the most important steps in protecting yourself and your business from cyber-crime technically comes before the crime is even committed. You should establish and practice a cyber incident response plan. A successful cyber incident response plan involves planning for possible contingencies, responding to incidents as they happen, and restoring normal business operations as soon as possible.

Think you know about cyber liability insurance?

Creating an Effective Cyber Incident Response Plan

A cyber incident response plan at its core is simply a document, and it may be one of the most important documents for the safety of your business. This document will act as a roadmap to guide both you and your team through the incident, while also providing important resources.

According to the US National Institute of Standards and Technology (NIST), there are a few elements that should be included within a cyber incident response plan for maximum effectivity. The plan should include the following elements:

  • Mission
  • Strategies and goals
  • Senior management approval
  • Organizational approach to incident response
  • How the incident response team will communicate with the rest of the organization and other organizations
  • Metrics for measuring the incident response capability and its effectiveness
  • Roadmap for maturing the incident response capability, and
  • How the program fits into the overall organization.

With these elements in mind, you should be able to create and establish a successful cyber incident response plan.

Enacting an Effective Cyber Incident Response Plan

Once your plan has been created and established, it then becomes time to enact it. The NIST recommends four phases of enacting a cyber incident response plan, Preparation, Detection & Analysis, Containment, Eradication, & Recovery, and Post-Incident Activity.

For convenient guidance, download our Cyber Incident Response Plan Checklist´╗┐.


The first of the four phases is Preparation. During this time, a cyber incident response team should be created. This team will typically consist of IT professionals and upper management, and you must decide which other personnel will be included as part of this team. Each member of the team should understand their role and what actions they will need to take in the event of an incident.

Part of having a successful cyber incident response plan is implementation and training. A plan is only as good as the team it supports; thus, all employees and staff should be trained on the cyber incident response plan at least annually. Consistent training increases awareness and reduces the risk of an attack, which is why this is also an important aspect of the Preparation phase.

Detection & Analysis

The next phase of a successful cyber incident response plan is Detection & Analysis. This is the phase where your business has just encountered a cybersecurity incident. Detection & Analysis is more of an action phase, as the cyber incident response team that has been established will need to act swiftly to best determine how the business intends to handle this incident.

The team dedicated to responding to this incident will have many factors to consider, as cybersecurity incidents can be carried out via various methods. The NIST provides a detailed list of potential methods that cybercriminals may use.

It is also important in this phase to be aware of the telltale signs that an incident has occurred; part of the challenge with maintaining organizational integrity and security is noticing when an attack has happened. To assist with this phase, there are two key categories to remember when looking for the signs of a cybersecurity incident – precursors and indicators. Precursors are signs that there may be an incident in the future. Indicators are signs that there is either an incident occurring right now, or that there has been one that has occurred in the past.

This phase also includes establishing any software or tools that may be used to provide your organization with protection, such as antivirus software or third-party monitoring sources. These tools assist with analyzing the provided information about the incident, helping the cyber incident response team as they decide how to best apply the plan that has been put in place.

This highlights how important it is to have a cyber incident response plan; there may be specific elements of the incident that influence your team to perform one action over another. Further, this is also a strong reason why your plan should have various strategies documented regarding what steps should be taken given the specific circumstances.

Once the next steps have been determined and analysis of the incident has taken place, your cyber incident response team should determine who has been affected. Once a list of affected individuals has been created, incident information should be documented and, subsequently, any involved parties and law enforcement should be notified.

Containment, Eradication, & Recovery

This next phase is likely the one that comes to mind most when picturing a cyber incident response plan. Containment is incredibly important when dealing with a cyberattack, as you will want to decrease the amount of potential organizational damage that may be inflicted.

The strategy that will be used to contain the cybersecurity incident you encounter should be clearly outlined within your cyber incident response plan. As highlighted during the second phase, your plan should include multiple strategies for your team to act on, dependent on the type of attack.

This third phase involves gathering evidence. Evidence is important in determining the best method of containment for each specific incident. It is also important to obtain evidence if any legal action is necessary to be taken, and/or if you intend on filing a claim with your insurance team. Evidence assists your insurance team in accurately determining that the attack is within your policy coverage.

How does cyber liability insurance work?

Once evidence has been gathered and the incident has been contained, your cyber incident response team will have all the information to move forward with Eradication. Eradication is the process of removing, or eradicating, the threat. This can involve working with an external forensics team, securing organizational technology, changing servers and passwords, and more. After the threat has been eradicated, Recovery can begin.

Recovery is like the light at the end of the tunnel; you are now able to safely reinstate your typical operations. Of course, prior to entering the recovery stage of your cyber incident response plan, you’ll want to ensure that any weak spots in your cybersecurity infrastructure have been addressed and corrected to prevent this from happening again.

Post-Incident Activity

This fourth and final phase may seem less important than the previous three, as the threat of the incident has been acknowledged and neutralized, and recovery is now in place; however, the Post-Incident Activity phase is incredibly important. This phase involves moving forward and growing.

If everything has gone according to the established cyber incident response plan, now is the time to refine. How did the previous attack occur? How well did the cyber incident response plan apply to the incident? Are there newer threats that have not been accounted for within the plan? Are any additional software or tools needed to decrease the likelihood of an incident occurring?

These are a few questions that should be raised and addressed during this time. The NIST recommends scheduling a meeting consisting of the cyber incident response team members to formally go through structured questions so that an updated, more informed cyber incident response plan may be put into place. More questions that they recommend posing during this meeting include:

  • Exactly what happened, and at what times?
  • What information was needed sooner?
  • Were any steps or actions taken that might have inhibited the recovery?
  • What would the staff and management do differently the next time a similar incident occurs?
  • How could information sharing with other organizations have been improved?
  • What corrective actions can prevent similar incidents in the future?
  • What precursors or indicators should be watched for in the future to detect similar incidents?

A Cyber Incident Response Plan is Important

An effective cyber incident response plan can’t prevent an emergency, but it can help your business survive the disruption. Don’t be caught unprepared. You never know when disaster will strike, so make planning for it a priority.

Download our checklist to make sure you've got all of your bases covered. Your insurance professional can be an invaluable resource for determining how best to avoid or reduce risks relating to unexpected business disruptions. Contact us to discuss tips for operations and insurance planning.