For institutionalised incident response, a clear security plan makes all the difference to mitigate damage and boost trust
When it comes to security incidents, it’s not a matter of if or when, but what next? No security team ever keeps a perfectly clean sheet, and the planning you do now goes a long way towards determining how effectively you respond when something goes wrong.
Unfortunately, it can be easy for security leaders to get distracted with risk quantification, product purchase and solution implementation. Meanwhile, you might not put enough effort towards actual crisis preparation. You can’t buy institutional strength. Instead, it requires hard work from the leadership and team.
Here are strategies for creating an incident response plan and integrating it into your organisation.
Prioritise high risk areas
Common examples of these high-risk areas include:
- Code vulnerability
- Phishing attacks
- Compromised multi-factor authentication
- Firewall breaches
- DDoS attacks
Although these categories are well known, consider as well how an incident starting with one of them might evolve over time. For example, you might get knocked offline, but what’s the plan if internal communication goes down too? Or if an employee account gets compromised while the attacker moves laterally into another area of the company?
Readiness for unexpected eventualities
Business continuity and crisis response are essential elements of any mature organisation. Still, few, if any, anticipated the magnitude of Covid-19’s impact. For example, the sheer speed and volume of the move to a remote workforce was totally unexpected. Nevertheless, many incident plans in place pre-Covid-19 have proven effective.
A solid incident response plan should include:
- Good case-management tools
- Ability to capture decisions in real time
- A designated, cross-functional group of people including security, legal, communications, marketing, customer success, HR, and PR at a minimum
- Solid collaboration and communication tools
- Ability to collect data (logging, analysis tools)
- Third parties standing by to augment staff (Don’t wait until the crisis – you’ll pay twice as much and get half the quality)
- A good cyber-insurance policy
Also, take the time to invest in healthy relationships in case you need to reach out later, such as with law enforcement, peer companies, and collaborative entities.
When a crisis does arise, here are some essentials:
- Dedicated conference rooms
- Dedicated communications platforms
- Leaders guiding teams to clear their schedules, refocus and reprioritise
- Documenting decisions in real time
Finally, when the incident ends, it’s important to put together a written post-mortem to extract the lessons learned. Instead of placing blame, focus on finding out what happened and why. It’s a good idea to wait about a week or so for this, so emotions cool down. Still, don’t wait so long that memory fades.
For incident response, communication is everything
Media fallout rarely focuses on security team configuration or what kind of tools were in place. Instead, incident communication is everything. Show empathy for the customer and build audience trust. For example:
- Get good at delivering bad news. Be crisp, technical, detailed, and clear
- Build internal trust relationships now to enable effective work during tense situations later.
- Speak to each audience according to their perspective (team, cross functional groups, regulators/law enforcement, media, board of directors, broader employee base, and customers)
Responding to a major outage: an incident response case study
In the summer of 2019, Cloudflare experienced a significant outage. We had to take down our service and quickly put it back up globally. Additionally, the incident was highly visible since customer websites became inaccessible. As incident planning was solidly in place, the team simply followed the game plan:
- Get the right people in a conference room right away
- Mobilise the cross functional group
- Give everybody a specific job to do (note taking, decision making, technical analysis, customer communication, and so on)
- Be available to customers immediately to explain and offer assistance
About a week later, we published a detailed post-mortem. This transparent, detailed communication generated a great deal of goodwill with customers and industry partners. It all came from having a clear incident response plan in place from the start.
Seeking to beef up your incident response? Find out how Cloudflare is supporting security leaders here.