Plan for the worst: Creating an effective cyber security incident response plan

Published: January 7, 2020

Tomorrow belongs to those who prepare for it today. That means that your cyber security response to a future attack isn’t something that will just take care of itself. It takes the right people, the right processes, and the right technology, all working together. In other words, it takes a plan. 

An Incident Response plan is the foundation of your cyber security efforts. That’s because, despite all your preventative measures, a cyber attack isn’t a matter of if; it’s a matter of when. Attacks have become more frequent and sophisticated as hacks shift from the work of a lone mischief maker to that of organized international crime syndicates: 78% of organizations surveyed in the Imperva 2019 Cyberthreat Defense Report i were affected by a successful cyber attack in 2018, while 65% also expected to be victims of a successful attack in 2019. Meanwhile, a University of Maryland study shows that hackers are now attacking computers and networks at a rate of one attack every 39 seconds. 

Your Incident Response plan will be crucial in marshaling your resources and directing them most effectively during the critical minutes, hours, and days after an attack. While having the latest technologies, best-in-class processes, and on-call security experts are key to preventing attacks as much as possible, when a hacker breaks through – and they will – your Incident Response plan is what will get you back on track sooner. 

Is your plan ready for action?

Like every aspect of cyber security, your cyber security incident response plan isn’t something you can just check off a list and never think about again. It must grow, adapt, and scale along with your company, and reflect the resources you have in place to put the plan in action. With the way the IT world moves, that’s easier said than done. 

According to the 2019 Verizon Incident Preparedness and Response Report, 79% of assessed organizations had an Incident Response plan in place, but fewer than half (48%) had a logically constructed, efficient Incident Response plan. Meanwhile, only 40% explicitly specified the periodic reviewing, testing, and updating Incident Response plans, 22% cited no internal security policies or procedures, and 38% cited no legal or regulatory requirements for cyber security, incident response, or data breach notification. That’s not a plan, but a plan to fail. 

You can use a service like Verizon’s Executive Breach Simulation to learn where your cyber security incident response plan has gaps and where it excels. If you don’t have a plan, then it’s time to get to work. 

The 6 required steps for every Cyber Security Incident Response plan

When designing your plan, make sure it includes everything you need to guide your Incident Response team in the case of an incident. It’s most helpful to break your plan down into the following iterative steps:


  1. Planning and Preparation: In this phase, you’ll identify and define stakeholder roles and responsibilities so everyone knows what they need to do during an event. The plan will define your process for identifying an incident, your methods of detection, your standard process flow, and any services you’ll rely on for help, such as Verizon’s Rapid Response Retainer or Computer Emergency Response Team

  2. Detection and Validation: In this phase of your plan, you’ll determine how you’ll detect and classify cyber security incidents early in the response. How you classify incidents will then influence how stakeholders will prepare for different attacks and what they’ll do when they occur. In addition, by defining your technical and non-technical detection sources, everyone will be on the same page as to how each incident type will be identified.

  3. Containment and Eradication: In this phase, you’ll define your method for managing and eliminating threats so you can prevent additional damage. As a part of the plan, you’ll also want to establish a method for reliable, secure alternative communications in case your corporate email or other official channels have been compromised. 

  4. Collection and Analysis: Here you will specify the method your team should use to collect, handle, and analyze evidence so that you can identify any other incidents, inform your containment and eradication efforts, and direct your team as to how to remediate and recover any lost data. In addition, evidence will be necessary to help law enforcement and third-party investigators find and prosecute the attackers. 

  5. Remediation and Recovery: In this phase, you should describe how you’ll remediate vulnerabilities to ensure the incident doesn’t happen again, along with describing how to restore operations back to normal. 

  6. Assessment and Adjustment: Finally, you’ll want to specify how you’ll review your Incident Response activities so that you can identify systemic weaknesses and optimize your cyber security controls and practices. This will include establishing key performance indicators so that everyone knows what success looks like in your organization. 

Start your planning with the Verizon Incident Preparedness and Response (VIPR) Report. It provides a data-driven, scenario-driven approach to understanding and optimizing your incident response plan so you can improve your incident mitigation and response efforts. Download the report now

i Source: 2019 Cyberthreat Defense Report, CyberEdge Group, LLC.