The Role Of Your Incident Response Team

Published on 08/06/2022

According to IBM’s 2021 Cost Of A Data Breach Report, 2021 had the highest cyber security incident average cost in 17 years, rising from $3.86 million in 2020 to $4.24 million in 2021, the highest average total cost in the 17-year history of the report.

Whilst this total average cost takes into account the costs associated with detection and escalation, lost business, notification and communication activities, and post response activities, it still far outweighs the cost of introducing a pragmatic Incident Response Plan.

Effective Incident Response Planning ensures that you can respond swiftly and effectively to cyber attacks on your business, minimising the damage and disruption they can cause and enabling you to quickly identify, contain, eradicate and remediate the threat.

What Does Incident Response Entail? 

Once a cyber security incident has been identified, Incident Response refers to how an organisation contains, eradicates and remediates the threat. This involves:

  • Handling a cyber-attack, data breach, or widespread systems failure.
  • Managing the consequences of the incident.
  • Recovering from the incident to resume normal business operations.

How Does An Effective Incident Response Plan Help Limit Damage Disruption?

Cyber attacks and data breaches can severely impact your business operations. Therefore, developing a robust Incident Response Plan and regularly testing and exercising it to ensure it works as intended is essential. Tabletop exercises and simulation scenarios provide you with an invaluable opportunity to identify what works and what doesn’t outside of a live threat. In turn, this will enable you to significantly limit damage and disruption in the event of a real-world incident.

In addition, a well-handled response can greatly limit exposure to legal consequences as a result of the attack and the more understanding the Information Commissioner’s Office is likely to be if they become involved.

How To Choose Your Incident Response Team?

It is important to choose your Incident Response Team wisely and ensure that each member fully understands their role to ensure the Incident Response Plan can be executed quickly and smoothly. Your Incident Response Team should include the following members:

An Incident Manager

If an organisation has no CISO to lead the response, the best person would likely be Operations Director as they have the broadest knowledge of what your business needs to function.

Their first role will be to find out which systems have been compromised and evaluate how critical those systems are to the overall running of the business. They are likely to work closely with the Technical Lead / Incident Specialist.

The Incident Manager should work closely with the most senior person/people within the affected department(s) to better understand what they need to be able to return to operation again.

A Technical Lead / Incident Specialist

Their role is to understand what caused the breach in the first place so that they can safely return the system to use, even if functionality is restricted initially. They provide advice and guidance on the incident, options and technical implications to the Incident Manager.

Human Resources

Human error is often the cause of a successful cyber-attack. Sometimes, a bad actor within the ranks of your staff may be responsible. Whether through negligence or intent, your HR department should be involved, particularly as decisions that are taken as a result of the breach may relate to staff and therefore require adherence to relevant employment law.

A Legal Representative

Likewise, a legal specialist with knowledge of the ramifications of a cyber attack should be available to communicate their legal opinions to the Incident Manager and others on the team.

A Communications Expert

You should attempt to manage news of a significant breach by taking the lead. Whether internal or external someone with the experience to get a clear, concise, non-technical version of your story out will be particularly valuable. 

Incident Coordinator

Someone will need to record the steps taken within your company for protection against future legal threats or action by the Information Commissioner’s Office. You may also wish to appoint this person to:

  • Coordinate the spread of information between the managers of the incident security team and the people working for them to speed recovery.
  • Inform the Incident Manager when they believe that an individual or department may be falling behind schedule.
  • Filter incoming communications from within the organisation to prevent the team from becoming overwhelmed.

How Should The Incident Response Team Prepare For An Incident?

Preparation is key to the successful performance of an incident management team.

By running ‘drills’, the Incident Manager and all those on their team will have practice making the decisions they have responsibility for and they’ll have a better understanding of the resources available to them in an incident.

If you use third parties for incident response, service level agreements (SLAs) should be worked out in advance so they know what you expect from them.

There should also be a prep visit of your premises by involved parties – if you have multiple premises, they need to know which one to come to and be familiar with it. Will they know where to park? Do they know which entrance to go through? Have you provided them with an access card, or provision for this to take place during an incident?

Information is key to resolving a crisis. You need to make sure that internal and external team members have access to the data they require. Unannounced drills are a way to ensure that staff responsible for gathering and presenting information are doing so as you require them to. In addition, you may discover during a drill that you need more information than you thought, giving you the chance to adjust your plan accordingly.

Incident Response Post-Mortem

Every cyber-attack, although damaging and unfortunate, is an opportunity to learn.

Be sure to hold a post-mortem with all team members following the resolution of the incident to better understand the failures or oversights within the business that led to the breach in the first place and improve the process involved in recovering from an attack.

Hopefully, your business will never need to call on your Incident Response Plan, but they should be in place and ready for when you need them. Don’t wait until you are in the middle of a crisis before you exercise your Incident Response Plan for the first time, exercising your plan in advance will help you quickly and effectively identify, contain, eradicate and remediate a cyber threat, minimising damage and disruption to your business.

If you do think you have been the victim of a cyber attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch to speak to one of our specialists.

This article was published in partnership with our cyber security partner PGI.

© SES Secure Limited and ses-escrow.co.uk, 2022. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content
 

Stay updated with SES by signing up for our newsletter

Find out how SES can help your business
Contact us

Contact us

If you would like further information, discuss your requirements, get a free no obligation quotation or just a friendly chat on how we could possibly help please fill in the details below and one of our team will get back to you as soon as possible.
Tick the box to receive regular updates and industry insights