Make 'reviewing your incident response plan' your New Year’s resolution

Whether it’s a natural disaster or malicious cyberattack, many CISOs and IT admins have spent sleepless nights, plagued with thoughts of potential catastrophe. No organisation wants to spend its time dwelling on worst-case scenarios, of course, but those in positions of responsibility understand that an unforeseen disruption can be catastrophic for the ill-prepared. Meanwhile, placing too much trust in the technical aspects of your organisation’s security – even when well-considered and regularly maintained – can lead to blind spots that make disruption more likely and increase the potential negative impact upon the organisation, should the unthinkable occur.

Most likely, your organisation already has policies in place for business continuity, resilience, and incident response. However, it’s worryingly common for such policies to be created, approved, and then locked away and left unattended until an incident occurs. These policies are only effective in responding to disruptive events if they are kept current, and the people trusted to carry them out are informed and prepared. Neglecting this can result a policy becoming outdated and ineffective, potentially relying on individuals who may no longer even be at the organisation.

While technology can be invaluable in helping to secure and manage your organisation and its estate, and in helping to minimise the effects of disruption, no organisation should be operating under the assumption that its systems are airtight and immune to disruption. As organisations introduce increasingly complex and sophisticated technology solutions, potential failure points can actually increase. Without careful consideration and periodic reassessment, vital data, processes, and functions may become unavailable – potentially permanently – following a successful cyberattack or sudden natural disaster.

The objectives of business continuity and incident response plans are obvious: to help organisations maintain operations during disruptions and to minimise the negative impacts of the disruption itself. This naturally extends well beyond the remit of just keeping the IT infrastructure operational, and should take the entire organisation into consideration, from processes and assets, to employees and clients. The exact shape the plan takes will depend on the organisation forming it, and it should be able to change radically from one iteration to the next if the needs of the organisation demand it.

Rather than reading through the existing plan and attempting to spot areas that are out of date, it’s more effective if the process is conducted as a whole, in the same way it was when it was first created. There are a number of in-depth guides to developing an effective incident response plan available from sources such as the NCSC and Microsoft, among others, and it can also be beneficial to enlist outside expertise when tackling the more technical aspects. As a quick overview, there are some high-level criteria that should be reassessed on a regular basis:

• Reassess critical services and functions – It’s important that an organisation has a clear and unclouded view of their current services and functions, how important it is to maintain their continuity, and what duration of downtime would be acceptable in an emergency. Once these are identified, a plan can be formed to ensure these criteria are met.
• Review risks, threats, and potential impacts – Understanding pre-existing weaknesses within an organisation’s systems, even if they cannot be immediately addressed, still allows a picture to develop around what form potential future disruption could take, and the effect it might have on the organisation as a whole. This can be critical when planning responses and determining roles and responsibilities.
• Define and assign responsibilities – As mentioned, any successful incident response will rely on the swift and effective action of multiple individuals across the organisation. For this to be possible, those individuals need to be selected and given the time and opportunity to familiarise themselves with their responsibilities and course of action, should disruption occur. Hopefully, individuals who are no longer with the organisation are not still listed as being part of the response, but if they are, they should naturally be replaced or their role reassigned.
• Identify and implement redundancy plans – Redundancy should be built into incident response from the start. Should communication services – i.e., phone lines or the internet – be disrupted, the plan should enable alternative methods of communication on an organisational level. Similarly, organisations that rely on off-site data servers or cloud services to perform essential functions should have methods in place to handle their sudden unexpected unavailability.
• Identify the need for physical and digital backups – Disruptive incidents can take many forms, and it’s possible that parts of an organisation’s estate could be made unavailable, damaged, or even destroyed in such an occurrence. As such, organisations should regularly review whether spares are available on-site for critical infrastructure, and whether there are sufficient uninterruptable power supplies (UPS), should an ongoing power outage occur. Naturally, critical organisational data should be regularly backed up as a matter of course – ideally both on- and off-site.
• Ensure regular testing and readiness – In order to assess whether any plan is sufficient, it will need to be regularly tested and reviewed as the organisation changes over time. Similarly, in order for even the best incident response plans to be effective, those involved in carrying them out must be able and prepared to do so. To ensure both of these, organisations can conduct simulated incidents that assess the efficacy of their plan and the response of those carrying it out. This can then be supplemented with targeted training and organisation-wide communications to help to maintain a high state of readiness on the part of the workforce.

By regularly running through the above steps, an organisation can help to ensure that it is always on the best possible footing for whatever the future holds. If your organisation needs more targeted assistance in identifying potential risks and threats within your existing estate, feel free to contact us at hello@itgl.com.