Planning and preparation should occur before an actual cyber security incident occurs. Once the response measures have been established, the roles and responsibilities of the respective employees are to be understood and documented. Based on the preparedness, inherent knowledge, and capabilities of the employees, the desired outcome of a cyber security incident can be achieved.
1. Governance
Governance refers to the methods of organizing and managing the response team. It ensures that the following activities are carried out accordingly:
Governing the response team aligns the entire organization to collectively tackle cyber security; coordination between employees facilitates cross-functional communication and exchange of information for integration of activities. The entire organization works together toward one objective: to protect themselves against cyber security attacks.
2. Strategy
Strategy refers to how the response team responds and communicates during a cyber security incident. Response strategies include procedures of leaders coordinating response activities, prioritization of business functions to recover, and communication protocols to ensure respective personnel of the response team receive the necessary information to facilitate decision-making.
Strategies developed should be aligned with the organization’s mission and vision to ensure products/services continue to be delivered to customers through effective response procedures that allow affected critical functions to be recovered as soon as possible.
Effective strategies provide a framework for a cost-effective, well-resourced, and organization-wide approach to tackling cyber security. Key aspects include:
3. Incident Response
Before drafting an incident response plan, organizations need to identify the different categories of data collected, protection measures in place for these identified data, storage locations, and users with privileged access.
These facilitate the development of response procedures. The response procedures should include detailed descriptions of the roles and responsibilities of respective members and timelines.
For an organization to retain integrity and credibility, customers must be informed and reassured about any breach. This means that the incident response procedures need to include crisis communication protocols.
Email letters/templates and scripts for spokespeople can be drafted. Communicating to stakeholders immediately after an incident limits further risk to affected parties or potential targets.
The negative impact on the organisation's reputation can be controlled if relationships between the organization and the media have been established. Channels that organizations can use to communicate:
When a breach is first discovered, the forensics team should begin investigating to assess the scale of the breach. The cause of the breach (cyber security attack employee error) and associated impacts can be evaluated to determine if the entire organisation's infrastructure is at risk.
The incident response team should be assembled, and the notification process for authorities and relevant agencies should kick in. Then, the engineering team begins fixing and patching the affected systems (HSF, 2016) to limit the spread and impacts once they have been identified. Larger organizations can request assistance from third-party vendors to accelerate the rectification of issues. Usually, the initial assessment does not reveal the severity of the breach.
Organizations have to plan for the worst-case scenario to be prepared to mitigate some of the risks. Organizations must reach out to credit card providers and banks if payment details have been compromised.
The communication team needs to gather information regarding the breach, assess it, and share them with relevant stakeholders such as customers or suppliers. The organization has to initiate resets for passwords for their customers and employees should user credentials (Hawthorn, 2016) have been compromised.
During and after the resolution of the cyber security incident, customers and media will bombard the organization with inquiries. The organization needs to have the plan to manage the influx of calls and emails to portray the right image and show that the organization cares about its stakeholders.
BACK TO: Mitigation and Response Strategies | CIR BC Strategies for Infrastructure | CIR BC Strategies for People | CIR BC Strategies for Policy |
CIR BC Strategies for Process |
CIR BC Strategies: Respond | CIR BC Strategies: Recover | CIR BC Strategies: Defence Lines |
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 7 Developing Mitigation and Response Strategies 7.25 Respond
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.