Incident Response: What You Need To Know

Lukas Grigas
Cybersecurity Content Writer
incident response

Is your business prepared to respond to a security breach or cyberattack? According to cybersecurity experts, it’s a matter of “when” rather than “if” your organization will experience a serious cybersecurity incident. This applies to both large enterprises and small and mid-sized businesses (SMBs).

Having an established incident response plan that would be executed immediately following a security incident is crucial for any organization, regardless of its size. The time to prepare your response plan is now. Today, we’re taking a closer look at what you need to know to devise a good cybersecurity incident response plan.

A rising tide of cyber security incidents: A global concern

The years 2020 and 2021 brought quite a few challenges. The global COVID-19 pandemic has forced organizations of all sizes to create remote workforces and operate off cloud-based platforms. Unfortunately, such changes have coincided with a significant surge in cyber security incidents, including a 600% rise in overall cybercriminal activity.

Cyber security incidents, particularly ransomware attacks, have seen a 151% increase in attack volume in 2021. It is estimated that today, a new organization falls victim to a ransomware attack every 11 seconds.

But that’s not all, not nearly. CPO Magazine reports that almost half a million Zoom accounts were compromised, and data associated with those accounts was sold on the dark web. Furthermore, phishing attacks spiked by 510% from January to February 2020 alone. Cybercrime Magazine notes that the global cybercrime damage in 2021 amounts to $16.4 billion a day, $684.9 million an hour, $11 million per minute, and $190,000 per second.

These are challenging times for businesses yet lucrative ones for cybercrooks. Being prepared to respond accordingly in case of cybercrime is existentially important for today's businesses. The National Cyber Security Alliance reports that 60% of SMBs that experience a severe cyber security incident go out of business within six months.

What is an incident response plan and why do you need it?

Incident response plan is a set of instructions and guidelines designed to help organizations prepare for, detect, respond to, and recover from a cybersecurity incident. Most response plans are built to address issues such as malware attacks or general security and data breaches. Usually, such plans are technology-centric and provide an incident response process — a course of action, if you will — in the event a company experiences a cybersecurity incident. It is also important to note that incident response plans should emphasize other teams as well, not just the IT department. A good plan encompasses finance, customer services, PR, HR, legal, customer services, and other areas.

When preparing a cybersecurity incident response plan, consider making it as specific as possible. It should be tailored to your organization specifically and clearly, state who should do what and when if the company experiences a cyberattack. Of course, numerous considerations should be assessed for an incident response process to succeed and meet your company’s needs. Some companies don't know where to begin, let alone what to prioritize. To shed some light on this pressing issue, here are a few key things to consider when designing your cybersecurity response plan.

Incident Response Frameworks

Organizations can benefit from structured approaches like those offered by NIST and SANS when addressing cybersecurity incidents.

The NIST 4-step process outlines a step-by-step process encompassing:

  1. Preparation: Building a foundation to manage cybersecurity risks.

  2. Detection and Analysis: Identifying and assessing incident specifics.

  3. Containment, Eradication, and Recovery: Addressing and neutralizing incidents, followed by system restoration.

  4. Post-Incident Activity: Analyzing the incident for future improvement.

This systematic approach emphasizes a continuous improvement cycle, ensuring a broad coverage of incident response operations. The NIST 4-step process provides invaluable guidance on team assembly, role definition, and communication protocols, catering to various industries with its adaptable and uniform guidance.

On the other hand, SANS introduces a 6-phase process, focusing on:

  1. Preparation: Equipping teams for effective response.

  2. Identification: Detecting potential security incidents.

  3. Containment: Limiting the spread or escalation.

  4. Eradication: Removing the threats.

  5. Recovery: Restoring and validating system functionality.

  6. Lessons Learned: Capturing insights to fortify future responses.

The Sans 6-phase process framework delves more into the technical aspects of incident handling, promoting a hands-on approach to managing cybersecurity events. SANS leverages collective expertise to offer a dynamic perspective on incident response, benefiting organizations with actionable steps and procedural depth.

incident response plan

Put together an internal response team

Consider assembling an internal team that would be responsible for designing the cybersecurity incident response plan and carrying it out in case of an emergency. The team’s size depends on the company’s resources, but it should comprise IT and cybersecurity professionals, an HR specialist, Communications managers, and a legal specialist. Having an internal team can yield great benefits should your organization experience a security incident since people within the team would be closely familiar with how the incident response plan should be executed.

Differentiate incidents

Not all security incidents are created equal. Therefore, when creating your response plan, consider establishing different types of procedures for different incidents. Assessing what kind of security incidents within your company would be considered minor and major is critical. Some breaches might require a major response, while others could be handled with fewer resources. Additionally, different personnel may need to be on the response team depending on the significance of the breach. Incident differentiation is extremely important for smaller enterprises due to the lack of resources.

Create a course-of-action checklist

A well-designed cybersecurity incident response plan must include a checklist of prioritized actions that should be carried out immediately after the company learns of a potential incident. After all, this is what the plan is all about. While checklists will differ for every organization according to its size, type of operations, and other variables, here are a few actions that should be a part of any checklist:

  • Record the date and time the breach is discovered.

  • Define the type of security incident.

  • Take potentially compromised systems offline to avoid any further unauthorized activity.

  • Conduct initial interviews with those with critical knowledge of the potential breach.

  • Make a copy of the affected systems so they can be fixed without compromising the investigation process.

  • Start internal communication.

  • Prepare a PR statement.

Review and amend the incident response plan regularly

A cybersecurity incident response plan needs to be regularly reviewed and amended according to the growing or depleting company resources and cybersecurity trends. This should be done at least once a year or even more frequently. Incident response in cyber security often means that you should reflect on organizational changes, including personnel changes, IT infrastructure changes, etc.

Corporate cybersecurity can be extremely challenging. It involves a human element and a huge number of moving parts. Even the biggest players in the business world tend to struggle with the growing cybersecurity demands. And so, sometimes it might be difficult to see that something as complicated as business security starts with very basic things such as practicing good password hygiene or being able to spot a phishing email.

How can NordPass help secure your business?

At NordPass, we are acutely aware of the challenges when it comes to securing your company's data. Our NordPass Enterprise plan is purpose-built to help large organizations overcome access management and overall security posture complexities. By integrating NordPass into your business, you gain a tool for managing passwords securely and a partner in promoting robust cybersecurity practices among your employees.

NordPass Enterprise offers an array of advanced and intuitive security features to ensure businesses can tackle security without unnecessary difficulties. By leveraging Shared Folders and Groups features, organizations can implement access controls that are aligned with their internal structures and policies.

On top of that, NordPass offers a great way to eliminate the little day-to-day nuisances, such as manually typing credentials, thus saving time. It’s all thanks to Autofill, which is designed to help you fill out online forms with just a few clicks. This efficiency empowers your team to focus on their primary tasks, which is critical for companies looking to streamline their processes.

If you wish to learn more about cybersecurity incident response and how you could make your company resilient, we’ve got just the right thing for you. A few weeks ago, NordPass hosted a webinar covering the topic. The list of speakers included Lisa Forte, Partner @ Red Goat Cyber Security, Vilius Benetis, Director @ NRD Cyber Security, and Andrius Januta, Cyber Security Professional @ Nord Security.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.