Organizations should do everything they can to reduce cyber risk. However, with so many threats and an ever-expanding attack surface, it’s virtually impossible to prevent a security breach. That’s why an incident response plan plays a critical role in effective cybersecurity.
Studies show that an incident response plan can greatly reduce the business disruption caused by a cyberattack. According to research by the Ponemon Institute, incident response preparedness reduced the cost of a data breach by almost 38 percent — the highest cost-saver among all the activities analyzed. That’s because an incident response plan greatly reduces the time required to detect and contain the breach.
Yet a separate Ponemon study on cyber resilience found that just 26 percent of organizations have a consistent, enterprise-wide incident response plan. More than half (51 percent) had inconsistent, informal, or ad hoc plans.
Keeping the incident response plan up-to-date is also critically important. Cyber threats and the IT environment are constantly changing, so experts recommend quarterly reviews. However, only 7 percent of respondents to the Ponemon study reviewed their plans at least quarterly. Forty percent had no set timeframe for reviewing and updating their plans.
Developing an Incident Response Plan
An effective incident response plan is simple yet precise, providing clear direction for identifying and addressing issues and protecting assets. Responsibilities among technical and non-technical teams must be clearly defined, and all employees must understand how to report and respond to an incident. A classification system should be created so incidents can be prioritized based upon the type, risk, cause, and impact. All of these factors will ensure alignment between organizational priorities and the incident response plan.
According to the SANS Institute, there are six steps to an incident response plan:
- Preparing both users and IT teams to understand security strategies and respond appropriately to incidents.
- Identifying true security incidents among the many alerts that are received.
- Containing threats to minimize impact.
- Eradicating threats at the origin.
- Recovering or restoring data, applications and systems that may have been disrupted.
- Analyzing the incident and how it was addressed to prevent recurrence and improve response processes.
Every incident response plan should include a communications procedure so users and security teams know whom to contact and for what purpose. A forensic analysis checklist should be created to help responders gather data and determine appropriate steps for containment and eradication. Finally, an incident response plan must be tested at least quarterly, or whenever changes to the IT infrastructure warrant a test.
How an MSSP Can Help
A qualified managed security services provider (MSSP) can help organizations reduce risk and stay on top of the latest threats and defense techniques. Additionally, the MSSP can play an active role in the development and testing of an incident response plan, and provide monitoring services that help ensure that cyberattacks are detected and remediated quickly.
There are multiple ways to engage with an MSSP for cyber incident response. Organizations that have in-house security resources can utilize the MSSP for monitoring and have alerts forwarded to their team. Best-in-class MSSPs use security information and event management (SIEM) tools to filter alerts, minimize false positives and provide actionable intelligence that streamlines remediation.
Organizations that lack sufficient in-house IT resources can fully outsource incident response to the MSSP. The MSSP will be responsible for detecting and responding to threats and taking action to minimize the risk of downtime. If systems are breached, the MSSP will isolate and remove the threat.
It’s important to clearly define the division of responsibilities in an MSSP relationship. But even more critical is developing an effective plan for responding to cybersecurity incidents.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile