Incident Response Plan – Part 3

Header Authentication
This entry was posted in Security and tagged , on by .

The Benefits and the Needs for Fast Time to Detect and Time to Respond Periods

When an organization is hit by a Cyber-attack, the IT Staff obviously needs to respond as quickly possible to the incident.  Any wasted time will simply translate to more downtime in the end, which will mean lost revenue, brand recognition damage, and worst of all, lost customers.

But, responding as quickly as possible to a Cyber-attack also brings about some benefits to it as well.  Some of these are as follows:

1)      The downtime, if any, will be minimized.  Therefore, the business or the corporation will be able to come back to full operations quickly. Assuming there is a proper Incident Response Plan put into place and that all sensitive data has been backed up properly and can be accessed efficiently and quickly.  The end result is that, depending upon the severity of the Cyber-attack, the financial bottom line of the company should not be too greatly impacted.  Also, responding quickly to an incident will mean that any vulnerabilities that have exploited by the Cyber attacker will be minimized, and reduce the risk of the same incident happening to a different part of the organization.

2)      Quickly responding to a Cyber threat and immediately notifying your customers as to what happened could in the long run, win new business.  For example, when you communicate to your customer in a timely manner, it shows to them that not only do you take your due diligence seriously, but that you also care about them on a much more personal level as well.  In fact, this is where many organizations fail, because many customers do not know they too have become a victim until a much later in point in time.  In these instances, very often a letter is mailed out, thus leaving an “impersonal effect”.  So, the manner and the time frame in which a customer is contacted can make a huge difference.  A phone call to the customer from a member of the management team shortly after an incident has taken place would leave a much more “personalized effect”; it will prove to them that by taking the time and effort to use this mode of communication you take their security very seriously as well.  Thus, in the end, this personal touch will create a much more favorable, and long-lasting impression to the customer, which could bring in more repeat as well as referable business later on.

3)      After an organization has been hit by a Cyber-attack, one of the key areas that will be looked into by management is filing a claim with the respective insurance company in order to be compensated for the associated costs incurred with restoring business operations.  Showing your agent that you responded quickly to the incident by having a well-crafted Incident Response Plan will not only mean that you will receive your claim money quickly, but you could also receive policy discounts in the future.

4)      By responding in a timely manner to any kind of Security breach, this will allow for a thorough investigation to follow in an expedient fashion as well.  This will mean that evidence will still be fresh and intact, thus allowing for any Forensics information and data to be collected quickly as well.  This of course translates into evidence that will be admissible in a court of law, and which can also be used to bring the Cyber attacker to justice.

5)      Typically, after a Cyber-attack, the larger corporations and businesses (such as those in the Fortune 500) might be required to release what is known as “Electronically Stored Information”, or also known as “ESI” for short to the Federal Regulatory Authorities and Law Enforcement Agencies.  The quicker that an organization can respond to a Security related incident, the greater the chances that the ESI will remain intact and can be produced quickly when questioned.  Any delays in this regard by the entity could result in very stiff fines and penalties by the authorities.

6)      Responding quickly to a Cyber-attack will create a subsequent, proactive Security mindset among the IT staff of any kind of organization, large or small.  This in turn will lead to what is known as a “Targeted Security Monitoring” environment. This occurs when the IT staff can identify many types of Cyber threat vectors before they increase in their degree of severity, thus giving you a greater chance of mitigating them in the future.  With a reactive Security mindset, not only will incident response time be much slower, but you will be forced to devote all of your resources in figuring out what exactly is transpiring to just one incident, thus leaving the organization much more vulnerable to being exposed to other Cyber-attacks at the same time.

Responding quickly to a Security incident means also that the right team needs to be put into place as well at the business or corporation.  The following demonstrates who should be involved in responding to an incident:

Team Leader:  Responsible for the overall incident response; will coordinate the necessary actions that need to take place.

Incident Lead: Responsible for coordinating the actual response.

IT Contact: Responsible for communications between the Incident Lead and other members of the IT staff.

Legal Representative: Responsible for leading the legal aspects of the incident response.

Public Relations Officer: Responsible for protecting and promoting the image of the business entity during an incident response.

Management Team: Responsible for approving and directing Security Policy during an incident response.


In our next blog, we examine the importance of timely and effective communications during an Incident Response.