Though the facts that follow shouldn’t stoke fear, they can be used as motivation. It’s impossible to ignore the stats when, according to the 2019 Telstra Security Report, one in four businesses don’t have an active incident response plan and 65% were interrupted by a breach in the last year.
According to businesses surveyed for the 2019 Report, the majority of organisations are working on being better prepared for when, not if, an attack occurs. This is now a modern business must-do.
“Australian respondents identified the ability to timely detect and effectively respond as their number one challenge” – Telstra Security Report 2019
Timely detection is made possible by the right mix of training and technology. An effective response is one that is pre-prepared, planned, and practised.
How you respond is everything
What is an Incident Response Plan (IRP)? Let’s break it down.
Cyber security specialist Louisa Vogelenzang, puts it simply: “It’s a framework that’s used to guide what an organisation does when an incident happens.”
Having a framework to follow is essential. Responding to a security incident is about more than speed. A cyber breach is often a dynamic and stressful event, further amplified by the knowledge that a timely response is critical. This is where an IRP shows its value. Having a road map to security in this challenging moment can save the day and could save your business.
An IRP may be developed with thought and care, then tucked away in a drawer to gather dust. However, in a digital world where everything changes so quickly, updating your IRP often is crucial. And in addition to regular updates, the processes of enacting an IRP should be practised – similar to a fire drill.
“It should be a continuously improving document. It can’t be looked at as just a point in time; it really has to be something that's continuously worked on,” Louisa says.
Don’t risk going without
The widely used saying goes, ‘a failure to plan is a plan to fail’, and this rings true for IRPs. Put simply, going without one is opening the door to business failure.
“Ultimately, we live in a world where we need to have that expectation of a breach,” Louisa says.
Having an incident response plan and knowing what you're going to do when that happens is absolutely critical to any business. Not only large businesses. It's also just as applicable to small business, which can be targeted too.
From the physical to the digital: how technology has changed IRPs
Incident response plans have long been used to manage threat situations in the physical environment – for example, in the event of a fire or flood. In principle, an IRP for digital threats is similar to one designed for physical threats, but the contents evolve over time.
“The difference really is that with cyber security and digital security, those threats are changing at a much more rapid pace than, say, a physical threat might do.
“There's climate change, so we know that the likelihood of something like flooding is increasing in some areas, but I think that's still not as dynamic as the threat environment that we have in cyber security,” Louisa says.
Another change brought about by the shift to digital is a widening scope of responsibility.
“No longer are you responsible for an incident that solely takes place in your building. Cyber security involves managing different environments that might not be under your direct control.”
Your business could be working with third parties , and you’re probably dealing with cloud security as well. Both of these potential circumstances are less contained environments that you need to consider when analysing the threats to respond to in your incident response plan.
Security is now good marketing
Irrespective of your industry, if your business uses tech, your security track record is a selling point for your business.
“When businesses don't manage data breaches well, the reputational damage can far outweigh the actual business cost of the incident.”Louisa Vogelenzang
As outlined in the Telstra Security Report 2019, for businesses large or small, customer experience is everything. “Increasingly customers are actually asking businesses about privacy, what’s happening to their data and how it is being used and protected.
“There’s also been lots of very recent public debate around that area,” says Louisa – which makes the issue even more visible.
From starting up and growing a business, to working so hard to build a reputation of trust, to having that all undermined by one event can be a significant challenge to recover from. Sometimes, it can be terminal.
“We know in businesses, large or small, that customer experience is everything, and customer’s have come to expect data security.”
IRP fundamentals: Identifying key assets
Louisa advises that one of the earliest steps to take in developing or updating an IRP is figuring out what to protect and work back from there.
“Ask yourself: ‘What are you working to protect and why does it need protecting?’"
Specifically, in a digital context, your key assets are going to be your data and your critical systems.
As soon as you answer this question another arises, because at this point it might be hard to know where all of that data is. This is one of the biggest and most complex initial challenges of developing an IRP for digital contingencies, working out where the data is and whether some of it is no longer housed on your digital property.
Ultimately, it’s important to know if the data you’re responsible for might extend beyond the walls of your building.
Introducing The Five Knows
Identifying your key assets is just the start of the process, and the thinking comes from what Telstra calls The Five Knows of Cyber Security. The way forward to developing your business’s IRP is to seek existing resources based on experience. To truly hone your IRP, professional guidance can turn principles into an effective document. Telstra’s Computer Emergency Response Team (CERT) can work with you to develop your business’s incident response plan.
IRP fundamentals: A 9-step checklist
Whether your updating an existing one or starting anew, check that your business’s Incident Response Plan includes:
☐ Identification of your most valuable assets: what do you have that’s important to safeguard?
☐ An analysis of any threats: think of anything specific to your industry and your type of business.
☐ A plan for each incident type: Each incident requires a tailored response.
☐ Your team’s roles and responsibilities: who makes which decisions and when?
☐ The tools to help you respond: contact lists, guides, and checklists for each type of potential
☐ A process for notifying stakeholders: you have obligations. The Australian Cyber Security Centre outlines these.
☐ A plan for media management and public relations: Consider reputational damage, and how to best communicate what you need to and to whom.
☐ A testing and updating schedule: In a dynamic digital environment updating your IRP is essential. So too is practising your response.
☐ Review and report after an incident event: Learn from what took place by documenting the incident’s details and your response actions. This should guide your future IRP updates.
Download your own copy of the checklist here.