Our Views:
Incident Response Preparation
Following on from last month’s bulletin where we set out a list of cyber must haves for 2024, this month we focus on incident response preparation.
The first step to ensure your organization is better equipped to deal with a cyber incident is to ensure cyber is well understood across the executive, the board, and the business units.
We have found that those who have understood their cyber risks and are proactively undertaking steps to mitigate these and any emerging ones, will often be asking themselves “how would we actually respond to a cyber incident”.
Assembling the appropriate documentation is key at this point. This will include general business documents such as a crisis management plan, a disaster recovery plan and a business continuity plan. Then a cyber incident plan will assist in governing the actions of the computer incident response team from a high level. More detailed information would be contained inside of a playbook for specific attack types such as ransomware and business e-mail compromise. At its most detailed level the technology team may also have runbooks, which specify exact step by step actions that need to be taken to respond and recover.
It is important to follow guidance from those organisations that are well versed in providing direction. These include the New Zealand government coordinated incident management system (CIMS), the National Institute of Standards and Technology (NIST) in the United States incident response framework, along with several others which we have referred to over the last five years of bulletins.
For those looking for an easy one, you can take a turnkey solution to a cyber incident response plan and spend an appropriate amount of time to tailor it for your organization. These do not need to be started from scratch.
Once you have your incident response plan drafted or updated if one was already in place, you then need to exercise this through a cyber incident simulation. These workshops always prove to be a useful investment in everybody’s time and provide an opportunity for immediate observation and feedback to further improve the organisation’s cyber resilience.
Simulations may involve many representatives from across the executive and business units, alternatively a more focused group includes risk and legal representatives or board members for ultimate decision making.
Another benefit of bringing the team together is to give them an opportunity to work out how best they coordinate the activities that are planned and track progress through to completion. We find that the use of an electronic control room greatly benefits the computer incident response team’s ability to manage this.
Finally in addition to documentation and simulations, there are also a range of other important factors to consider such as:
- Roles and responsibilities of the computer incident response team
- Escalation points
- Public relations
- People and culture
- Forensic expertise
- Legal expertise
- Regulatory requirements
- Insurance requirements
If not already, we would encourage you to consider the above, do not delay, and ensure your organisation has a suitable incident response plan and is ready to act should it be required.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 