Hardly a day goes by with news of another hack making the headlines and the hours and days following a security breach can make or break the affected organization’s reputation. With so many businesses dependent on web technologies, chances are the sooner or later your organization will face a cyber-security incident involving your websites, web applications or critical web services running in the cloud. Having a detailed incident response plan in place allows you to react in a smart and structured way. Put simply, an incident response plan is insurance hopefully, you will never have to use it, but it is absolutely essential. Preparing an incident response plan will benefit your business in (at least) two ways. First of all, you will be able to tackle security incidents with confidence and react quickly and effectively. On top of that, creating an incident response plan will also raise security awareness within your organization and that is always a good thing!

1) Your Web Security Incident Response Team (CSIRT)

Preparing the organization for incident response includes: you need a web cyber security incident response team (CSIRT), deciding who is on call, how an incident should be escalated, and how information should flow between tech, PR, and legal. Remember that security operations affecting the entire organization, such as taking critical systems offline or running recovery, might require authorization from higher up, so your team may need to include executive as well as technical staff. In your plan, document the roles and responsibilities of key individuals and groups. Ensure that everyone in your security team knows their role and is trained accordingly. 

When it comes to incident response and communication, it is important to note that transparency is extremely important. Your plan should specify multiple channels of communication among team members and anticipate technical issues that may arise in likely attack situations. You should also ensure that all crucial roles will always be filled in any emergency.

2) Cyber Security Risk Analysis -

Analysis is a crucial step in incident response. It’s simple you can’t tackle an incident if you don’t know you are under attack. The first indication that something is wrong can often be seen in logs. Focus on places where your websites or applications interact with business-critical processes and systems, and perform a risk analysis for every likely incident scenario. Identify possible cyber threats Once you know something is going on, you need to establish what type of attack you are experiencing and how serious it is. You can categorize the incident and its severity.

Decide what web security events should be considered security incidents, and how priorities should be assigned. For example, if user information is compromised in a privacy breach, affected users need to be informed and a PR statement issued. On the other hand, a low severity incident with no functional, information or recoverability impact still requires appropriate steps to be taken. Identify other systems that could be affected by a web security incident. Depending on your application and systems architecture, a compromised web application might be interfacing with core business systems and databases, so security risks can extend far beyond web systems. To prepare for recovery, identify existing backup policies and processes and define required recovery point and time objectives (RPO/RTO) for your web infrastructure, including servers, storage, and operating systems.

3) Cyber Incident Response Process

You have identified the incident and it’s time to take action. Containment is all about taking control of the incident and isolating it in order to minimize damage. As such, containment often involves decisions that need to strike a balance between successfully containing an incident and retaining evidence with minimal impact on your business.

Situation awareness is a key aspect of any emergency response, so your plan should specify rules and methods for monitoring the threat situation in real time. Who decides when an event becomes an incident? How is that information communicated within the IR team? All these questions need to be answered to ensure a clear picture of any emergency situation.

For large organizations, remember that external communication during incident recovery may affect not just your reputation and value, but also regulatory interest in your incident – especially for potential leaks of confidential information. Make sure your messaging is approved by PR and legal, and that your IR plan clearly specifies who is authorized to publish what information.

4) Incident Response Plan Testing and Reviews

Once your plan is successfully ready and approved, you will need to test it to ensure that all procedures and communication channels are realistic and work as expected. Tabletop exercises are an easy and cost-effective Way of simulating incidents, honing response procedures, and training your team.

To ensure your processes keep pace with new threats and changes to systems and organizational structures, you will need to conduct periodic reviews – typically once a year, but quarterly reviews might be required in fast-changing or high-profile environments. In your reviews, check the accuracy of recorded systems information and procedures, and don’t forget to periodically update contact information to ensure an effective flow of information.

5) The Befits of Effective Response Planning

Every incident is a learning experience and an opportunity to improve your existing incident response plan. Within a few days after the incident has been resolved, gather your team and reflect on lessons learned. An effective and tested web cyber incident response plan is an invaluable asset for your organization. It ensures you are prepared to quickly and effectively react to likely incidents and reduces business impact when things do go wrong, so you can minimize costly downtime and contain issues before they get out of hand. In the process of defining your plan, you will also gain a clear understanding of your organization’s web systems and overall security posture.

On the flip side, not having an effective plan for web incidents leaves your organization vulnerable to downtime, data loss, and potentially even legal liability. Getting started with a structured approach to incident response may seem intimidating and time-consuming at first, but it is a worthwhile investment that can save you a lot of headache later on. When faced with a security incident, nobody regrets having spent time developing an incident response plan.