Responding to a Cybersecurity Incident
Incident response plans describe how the organization will respond when a cybersecurity incident inevitably occurs. I use the word inevitably because no matter how strong and well-designed we believe our security controls to be, something will eventually go wrong. Every organization at some time finds itself on the wrong side of a cybersecurity incident, in a situation where every second counts. This is where a strong incident response plan can save the day.
Organizations with well-designed incident response programs have teams of trained professionals ready to step in when the unthinkable happens. They understand the organization’s priorities and can quickly take steps to contain the damage caused by an incident before it spreads to other systems and networks, helping to reduce the impact on the organization. Spending the time now to assemble the technical, legal and management expertise required to respond to a cybersecurity incident can dramatically improve your organization’s outcomes when an attack occurs.
Preparing for Crises that Affect Operations
Disaster recovery plans also help organizations prepare for the unthinkable, but they take on a much broader scale. Disaster recovery plans help an organization anticipate any potential disruptions that may affect business operations. Such plans should implement controls to mitigate the impact of a disaster and recover normal operations as quickly as possible. An organization might activate the disaster recovery plan in the wake of a cybersecurity incident, but it might also do so in response to a flood, public health crisis or labor action.
Disaster recovery planning begins with a business impact assessment, or BIA. The BIA seeks to identify all of the potential threats facing an organization, assess the organization’s vulnerability to those threats and then develop a prioritized list of risks that require intervention. This approach allows the organization to address risks with the highest likelihood of occurrence and the greatest potential negative impact on business operations. A business in California might prioritize addressing the risk of an earthquake over that of a hurricane, while a business with operations in Florida might make the opposite decision.
With that prioritized list in hand, the organization can then take actions to mitigate the most significant risks. This might include relocating facilities to regions where the risk of disaster is lower, preparing for rapid shifts to work-from-home staffing of critical functions or implementing new security controls to lower the risk of a successful cyberattack. Strong disaster recovery planning efforts also emphasize the facilities and technologies necessary to restore operations quickly after a disaster, including the use of alternate data centers and cloud computing services.
I’d like to encourage you to take the time to assess the maturity of your organization’s incident response and disaster recovery plans. If you have existing plans, do they address your current risk and operating environment? If you don’t have solid plans yet, why not put it on the agenda to start a planning project?