Desk of a CISO: The Importance of an Incident Response Plan

August 29, 2023
Education, IT Security

Desk of a CISO Banner

Written by US Signal's CISO, Trevor Bidle

In my capacity as CISO at US Signal, I have the unique privilege of engaging with the IT operations of a diverse range of our customers. This vantage point offers me a wealth of insights into both the challenges and triumphs experienced by various teams. Over the course of my upcoming blog posts, I'll be sharing key takeaways that I believe could significantly benefit your team's effectiveness, operational efficiency, and overall resilience during a security Incident.

If your business relies on technology in any capacity—and let’s be honest, what business doesn't these days—you absolutely need an Incident Response Plan (IRP). Don't confuse this with your Business Continuity Plan (BCP) or your Disaster Recovery Plan (DRP). While they’re important, an IRP serves a distinct purpose. It prepares you for cyber threats specifically aimed at disrupting your business, as opposed to natural disasters or hardware failures.

Why You Need an IRP

Let's talk timing. Every security incident I've been involved with in the past year has occurred outside regular business hours—think nights, weekends, or even holiday weekends. Why? Attackers are strategic. They target these off-hours precisely because they know system monitoring might be lax, the full IT team may be unavailable, or those on duty might be fatigued or less experienced. By exploiting these vulnerabilities, attackers gain the upper hand. That's why having an IRP outlining step-by-step processes that your team can implement, even under less-than-ideal conditions is crucial.

Take this typical scenario. During an initial attack, it's common for threat actors to disable or delete a company’s backups and replication services, leaving the company without a fallback. Your IRP should include procedures for immediately contacting managed backup or replication providers to secure your data and extend journaling for DRaaS solutions, like Zerto-based replication.

Simply put, an IRP is your playbook in crisis situations. It offers standardized checklists or flowcharts that any team member can follow. It also lists critical contact numbers and outlines emergency procedures, enabling a swift and coordinated response to start triaging the situation.

Keep Your IRP Updated: It's a Living Document

Now, picture this scenario. A threat actor takes down your internal DNS server. How many of your team members can recite the IP addresses for each mission-critical server, host, or device? Could an asset inventory, perhaps included as an appendix in your IRP, be the lifesaver you didn't know you needed? It’s something to ponder.

Here's another real-world snag I've come across. An IRP with outdated or missing contact information. Imagine grappling with a full-blown security incident. Your team knows they need to engage an Incident Response firm via the cyber-Insurance carrier. Simple, right? But wait, no one has the carrier's number, and Outlook is down, making it impossible to reach the CFO for the details. This nightmare scenario unfolds as precious time ticks away. Avoid this by ensuring your IRP includes up-to-date contact lists for internal and external stakeholders.

And this brings us to a crucial point: Your IRP isn't a set-it-and-forget-it document. To keep it functional and effective, set a quarterly review milestone. This dual-purpose activity ensures that team members are familiar with the plan and that the information remains accurate and relevant when you most need it to be.

Accessibility is Key

A plan is worthless if you can't access it when needed. Here’s another situation to think about. It’s Sunday morning, and you're grappling with a ransomware attack. But your IRP is on a file share that has just been encrypted with ransomware. While a physical binder has its merits, modern solutions like storing the IRP on an iPad, USB drive, or a secured third-party cloud service can also be effective backup options.

Wrapping Up

To sum it all up, an IRP isn’t just a 'good to have'—it's an absolute necessity for any organization that relies on technology. From guiding your team during off-hours incidents to ensuring that crucial data and contacts are readily available, an IRP is your go-to cyber-resiliency playbook. By keeping it updated and accessible, you're not just ticking off a compliance box. You're making a strategic investment in safeguarding your business operations.

Don't leave your cyber well-being to chance. Take the time now to develop, update, or refine your Incident Response Plan. Trust me, the time you invest today could save you invaluable hours, resources, and even your company’s reputation down the line.

See you in the next blog post, where we'll turn theory into practice by exploring how to test your IRP effectively through tabletop exercises.

Meet Our CISO