Having an incident response plan is critical for cybersecurity businesses today, because it will outline how to respond to a data breach or cyber attack. And this shouldn’t be a one time deal — properly creating and managing an incident response plan takes time, and should be regularly updated with new training and procedures. In fact, Requirement 12 of the PCI DSS specifically states that businesses are required to have an incident response plan. 

Now that you know a cybersecurity incident response plan is required, the real question is — how do you create one? There are six key phases of a response plan: preparation, identification, containment, eradication, recovery, and lessons learned. Below, we’ll outline each of these phases in detail, and point out which items need to be addressed. 

Phase 1: Preparation 

The leg work in the beginning of the plan will set the baseline for the rest of the phases. In this phase, ensure that your employees will be properly trained on the plan, and what roles and responsibilities they carry in the event of a data breach. It might be beneficial to include drills or mock scenarios as a way to evaluate the success of your plan. Make sure each aspect of the plan is approved and funded in advance, and that the plan is well documented. 

Phase 2: Identification

Oftentimes, you don’t know a breach is happening until after the fact. The identification phase is important because it will serve as an outline for identifying breaches, and where it could’ve originated from. When did the event happen? How was it discovered, and who discovered it? Are there other areas that have been impacted, and how big is the impact? 

Phase 3: Containment 

Now that you’ve identified that a breach has happened, you’ll want to minimize or contain the damage so it doesn’t further damage your business. If possible, disconnect affected devices from the internet. It’s also important to have short-term and long-term strategies for containment, and have a back-up system in place to restore operations. This will ensure compromised data won’t be lost forever. Take this time to update your systems, review remote access protocols, and change user credentials. 

Phase 4: Eradication

Now that you’ve contained the issue, it’s time to find (and eliminate) the root cause of the breach. Make sure all malware is removed securely, and all systems are hardened, patched, or updated. Be thorough with this step, as you don’t want to accidentally lose valuable data, which could increase liability. 

Phase 5: Recovery

This step involves restoring and returning any affected systems and devices. The last thing you want is a lot of downtime, as this could increase the risk of another breach. Ask yourself what systems can be returned to production, and can they be restored from a trusted back-up. What tools can you use to ensure similar attacks won’t occur? 

Phase 6: Lessons Learned

Now that the investigation is complete, it’s time to circle back with the team to discuss what can be learned. Analyze and document everything from the breach, and determine what worked well in your plan and where it can improve. Ask yourself what changes need to be make to the security, how training can be improved, and what weaknesses the breach exploited.

Looking for someone to handle your incident response plan? Thinline Technologies can help! We can help develop a solution to mitigate risks, protect your firm’s financial assets, and reduce the down time in the event of unplanned disruption. Contact us today!