What it takes to create an impactful incident response program

The last year has certainly shown businesses all around the world that they must be prepared for the unexpected. How they manage the unexpected is what separates those that sail through their challenges and those that let them significantly harm the institution. Being prepared starts with establishing an effective incident response program.

Why is incident response necessary?

Incident response is an organization’s systematic approach to managing an event or occurrence that may have a significant impact on operations via a human-induced threat (active assailant, terrorist attack, cyber compromise), a hybrid situation (pandemic, fire, power outage, industrial or transportation disaster), or a natural disaster (floods, earthquakes, tornadoes, wildfires, pandemics). The main concern for businesses is that relatively small incidents can escalate and become crises, an occurrence having or likely having a catastrophic impact on operations. Organizations typically seek to establish a robust incident response function to protect people, minimize damage to assets and operations, manage recovery costs, and resume operations as soon as possible.

One of the goals of an incident response plan is to prevent or mitigate the risk of an incident becoming a crisis. A well-exercised plan sets forth roles and responsibilities and instructs employees and business owners on immediate measures to protect people, assets, the environment, and the organization’s reputation. Planning for the worst from the start can often lead to more positive outcomes. To achieve optimal results, an effective incident response program should be straightforward and precise. Anyone reading the plan should be able to quickly determine what needs to be done, and who needs to do it. Then, we turn to using the tools we have at our disposal in the program.

Preparation, preparation, preparation!

Once an organization has created its incident response program, it must prepare to implement. As the old saying goes, “practice makes perfect.” During an incident, time is of the essence. Having a well-rehearsed plan helps organizations react quickly to limit further damage or disruption and save organizational resources. Much of the work in incident response is built upon preparedness. Preparing for an incident helps organizations react faster and often helps reduce the costs resulting from an incident.

Incidents come in all shapes and sizes. While we have certainly learned from the pandemic that an unforeseen incident can quickly become a crisis, an incident can also remain localized and not rise to the level of a crisis. For instance, an incident might take the form of a disgruntled customer assault over facemask mandates enforced at a small business. But even small businesses need to be prepared for much larger events. This is why security professionals encourage businesses to focus on prevention and preparedness measures as the best way to ensure corporate resilience.

Early detection is highly useful for organizations in mitigating major incidents. Certain incidents lend themselves well to early detection, such as major weather events that can be forecast. On the other hand, cyber breaches can be more difficult to detect. For perspective, it takes an average of approximately 200 days to detect a data breach. One of the most common mistakes businesses make is assuming their networks are secure. As technology has advanced, the need for security infrastructure to protect company assets has grown as well. Aging hardware and software in corporate networks can expose vulnerabilities, and a plan to keep these protections up to date is necessary when forming an incident response program. While we strive for early detection, once an incident occurs, having a viable response plan will limit the damage, expenses, and recovery time for the business, which are all critical to the success of the organization.

The critical aspects of an incident response program

There are several main aspects to keep in mind when creating a meaningful response program. Each one is critically important to an overall strategy.

Preparation and Training are key to effective incident response. This includes the creation of an incident response plan setting forth roles, responsibilities, and authorities, and conducting tabletop exercises for key team members and executives.
Detecting, Reporting and Documenting of security events will help alert management to potential security incidents that must be reported.
Pre-Selecting Third-Party Service Providers needed to respond to an incident to avoid taking valuable time and resources from the response effort. This includes lawyers, public relations/crisis communications firms, digital forensics/incident response professionals, etc.
Communication with both internal and external parties should be included in the plan, as well as information sharing and law enforcement liaison processes.
Analysis of collected data and trigger points can minimize the breach or intrusion.
Containment and Neutralization of an incident may be the difference between having a profitable year or sustaining major losses.
Post-Incident Activity Reviews will identify breakdowns in the plan, existing safeguards, or procedures. Lessons learned are an important step to preventing repeat incidents.

The plan should be revisited and reevaluated at least annually to ensure it remains up to date. Having these critical functions in place within an organization’s incident response plan are the keys to a well-crafted strategy. By applying them effectively, a business can quickly and efficiently identify any potential incident and act before negative consequences occur.

In the security industry, we often focus on the concept of foreseeability. An organization that previously encountered a major incident or crisis has a foreseeability challenge in that if a similar situation emerges because proper measures were not put in place, it could be at more risk for significant losses. Oftentimes, the best preventative measure is having a plan in place. While you may not have a sixth sense for what’s coming, you can take a strong stand against potential incidents. The best prevention is preparation.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.