A cybersecurity attack threatens your business’s data, IT systems, and finances. To avoid or mitigate these attacks, you need to create an incident response. In this article, we’ll explain what incident response is, how to put together a plan, and how to increase your chance of avoiding attacks in the first place.
What does incident response mean in cybersecurity?
Incident response refers to the way a company responds to a cyberthreat such as phishing, man-in-the-middle, or malware(new window) within their network. An incident response plan identifies all of the potential threats and vulnerabilities within your business with a risk assessment, and then defines the actions your business will make if it’s affected by threats.
When a threat or potential breach is detected, your plan lays out the approach you’ll take to responding: this includes actions such as mass password resets, network recovery, data backup, and notifying governmental agencies or customers as needed.
What is a cybersecurity incident?
In recent years, cybercrime has increased. Hackers rely on tools such as ransomware(new window) to gain access to businesses’ infrastructure and then extort money in return for regaining access. A recent example of this is Casio, the international electronics manufacturer, which announced the impact of a third party ransomware attack(new window) on its website.
According to TechCrunch, a ransomware group named Underground(new window) has since announced it was responsible for the attack, accessing and downloading more than 200GB of data. The data included employees’ personal information, customers’ personal information, and business partners’ personal information.
Casio is still investigating the scope of the damage caused, and has not specified whether it paid a ransom amount to Underground. Incidents of this nature have been on the rise due to the lucrative nature of ransomware, and they’re likely to increase.
Why do you need an incident response plan?
According to research from the Identity Theft Resource Center, businesses in the financial services, healthcare, professional services, manufacturing, and education industries were the most compromised in H1 of 2024(new window). In the same time period, cyberattacks led to 1,226 breaches, affecting more than 1 million victims.
The risks associated with falling victim to a cyberattack include financial loss, regulatory fines, and loss of reputation: having an incident response plan helps a business avoid or minimize being affected by this fallout. In the event of a cybersecurity attack, all employees understand who’s in charge of the incident response and what their role is in your plan.
Globally, governments are beginning to understand the necessity of proper incident reporting and response. In the US, federal and state laws are able to impose cybersecurity requirements(new window) such as documenting cybersecurity risks, writing incident response plans, annual risk assessments, and pen testing. If a business fails to meet the regulations dictated by its local requirements, the FTC can seek financial penalties.
In the UK in 2025, the Cyber Security and Resilience Bill(new window) will be introduced to parliament. The UK government reasons that “recent serious high-profile attacks impacting London hospitals and the Ministry of Defence, as well as ransom attacks on the British Library and Royal Mail, have highlighted that our services and institutions are vulnerable to attack.” An incident response plan may in fact be a legal requirement for businesses around the world in the future.
How to put together a cybersecurity incident response plan
If you don’t have an incident response plan, we’re going to help you understand how to put one together. Below are some of the key aspects of your plan you’ll need to consider.
Appoint an incident response team
The team who will carry out your plan won’t all be cybersecurity experts – instead, they’ll be key figures from different areas of your business who can coordinate a cross-functional approach. They’ll also feed information back to the incident response manager and share information with other employees as needed.
As well as including any IT admins, your incident response team should include employees in your HR, customer service, and legal teams. A data breach will affect your employees and your customers, as well as potentially having legal ramifications: the teams handling these business areas need to be part of your response team.
Proactive v.s. reactive incident response
A reactive incident response plan involves reacting to an event that is already happening. Typically, it will involve locating the source of the threat, isolating it to prevent any further breach of your systems, and working to remove the threat.
A proactive incident response involves actively preventing events from happening. It involves mapping out your system architecture to identify vulnerabilities, educating employees about cybersecurity, and putting safeguards in place to prevent breaches.
When you’re creating your incident response plan, use a combination of reactive and proactive methods. Help your incident response team prevent breaches with ongoing system monitoring and logging, and manage any events with effective identity management tools. Help your employees prevent breaches occurring with two-factor authentication (2FA) and secure passwords, and help them react to breaches with a clear plan on how to escalate an incident to your dedicated incident response team.
Think before and after a cyber incident
Your plan will determine how you respond to a cyber incident, but it will also determine how you monitor for and prevent incidents before they happen.
- Before an incident: Identify your business’s most sensitive and valuable assets, and create a map of all your data. Name the person / people in charge of the recovery as incident managers. Make sure that you have scrupulous auditing and logging to identify the origin of any potential threats. Educate employees about safe password practices, giving them the right password management tools to manage their logins and enforcing 2FA.
- During an incident: Isolate the threat and neutralize any potential for it to spread – reset user logins, take sensitive data offline, and isolate affected tools and systems. When the threat is contained, work to remove it with your appointed incident response team.
- After an incident: Create a detailed timeline of the incident and identify business areas and areas of your incident response plan which need to be strengthened to prevent a similar threat in future.
The right tools for cybersecurity incident response
Cybersecurity isn’t the sole responsibility of IT admins: it takes every employee within a business to keep your data safe. Stolen employee credentials can be used to access your IT infrastructure, so using a password manager is one of the easiest steps you can take to prevent cyber incidents occurring.
Proton Pass for Business helps every employee within a business safely store, autofill, and share passwords to their work tools. Using the built-in password generator, employees can create unique passwords for every platform they use. Admins can track password changes and user activity through the activity logs, and enforce 2FA for every user. Team policies ensure that sharing data outside your business is switched off, preventing sensitive data leaks.
If you’re ready to create your incident response plan, start by giving your employees the tools to protect themselves and your business from hackers. They’ll become an essential part of your plan with the right tools – find out more about Proton Pass for Business.