Incident Response Planning

With each passing year, month, and day, the security risks businesses of all sizes face are growing. The actors behind modern threats are no longer the Hollywood stereotypical guy-in-the-black-hoodie, they are professional criminal organizations, and sometimes even nation-states. As a result, all businesses must prepare for the inevitable event when it occurs. Toward this end, Suite3 began the process of rewriting our Incident Response Plan in Q4 of 2020 with the goal of having the working version of the plan in place as well as our first table-top test run by the end of Q1 2021.

At it’s highest level, an Incident Response Plan follows the following process:

  • Detect an indicator of compromise and run an Analysis to determine if the plan needs to be enacted
  • Contain and Investigate to determine scope and minimize impact
  • Notify appropriate parties
  • Eradicate threats including root cause determination
  • Recover to resume business operations

However, before we could schedule and run a table-top test, we had FIVE incidents which required us to enact our newly created plan. [You can read about the details of the incidents in a separate blog post] We worked quickly to assess the situation and contain the immediate threat, and when appropriate, paused to notify the client and ask three critical questions:

  • Do you have cyber liability insurance?
  • If so, does your carrier require notification of an incident before response or recovery can begin?
  • Also, does your carrier require their Incident Response team, or a company of their choosing, lead the response or recovery, or do you authorize Suite3 to do so on your behalf?

In all but one case, a cyber liability policy was NOT place, the one that had one in place didn’t realize it until 24 hours after the incident began.

Failing to plan is planning to fail. Get a cyber liability plan in place and know the notification terms required by the carrier BEFORE there’s an incident, because given the nature and pace of these incidents, it’s not a matter of “if” a business will have an incident of their own, it’s a matter of “when”.