6 Steps To Creating An Outstanding Cybersecurity Incident Response Plan [Free Templates]
Incident Response Plan is the #1 defense strategy to prevent a major crisis when it comes to cybersecurity. After all, as Jamie Ward famously says, “Cyberattack is not a matter of ‘if’, but ‘when’”.
In this article, we'll walk you through the critical elements for the security team when creating a new plan or updating existing plans. Including:
- Why having a Cybersecurity Incident Response Plan is important
- 4 Examples of the best Cybersecurity Incident Response Plans
- The 6 Key 'Must Haves' in every Incident Response Plan
- The post-incident response plan
Why Having A Cybersecurity Incident Response Plan Is Important
The National Institute of Standards and Technology (NIST) defines Cybersecurity Incident Response Plan (CIRP) as: “The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information system(s).”
Having a CIRP cannot be underestimated by companies. Research shows that companies that prepare to deal with the effects of a cyberattack efficiently have a considerably lower average loss.
According to The Cost of Data Breach Report 2022, the average cost of a breach for businesses with incident response (IR) capabilities is 58% lower than those without IR capabilities. Breaches at organizations with IR capabilities cost an average of $3.26 million in 2026, compared to $5.92 million from organizations with no IR capabilities.
So why do businesses with incident response plans have lower breach costs? Having a complete and up-to-date CIRP implies constantly passing on information to employees and offering training. This helps to create an organizational culture that favors the recognition and prevention of cyber threats.
Another aspect is that by directing efforts to prevent attacks, it is possible to have more clarity on the cybersecurity gaps that are being left. That means you can correct them before they are found by criminals. All this allows an incident to be corrected much more quickly and efficiently.
However, not all companies have a plan. According to a survey by shred-it, 63% of C-level executives and 67% of small businesses in the U.S. do not have an incident response plan.
Another problem is that many plans are not done completely and consistently. For example, many security leads just focus on the most critical incidents. Yet, any fragility or risk to an endpoint must be defended vigorously to prevent a loophole allowing criminals from accessing valuable information.
A consistent cybersecurity plan considers ALL vulnerabilities. As Window Snyder states, “One single vulnerability is all an attacker needs”.
4 Examples of The Best Incident Response Plans
Here are four of the best examples we’ve pulled together that you can use as a blueprint to guide your planning for possible attacks.
Michigan Government Incident Response Plan
Computer Security Incident Handling Guide - NIST
Incident Response and Management: NASA Information Security Incident Management
Cyber Incident Response Plan - Government of Victoria, Australia
The 6 Key 'Must Haves' In Every Incident Response Plan
When it comes to creating a robust cybersecurity incident response plan, there are six key aspects that need to be included:
1. Prioritize Incident Levels
Prioritizing the incident level of an attack is critical to quickly identify the risk of the attack. This involves understanding which systems are critical to the functioning of your business and understanding the different types of user risk interactions. As seen in the Human Factor Report 2022 diagram below.
2. Complete Visibility of All Your Company's Systems And Resources
Clarity is a key aspect of the incident response plan. Knowing all the assets and resources that the company has is important when defending them. In addition, having complete visibility into the company's up-to-date data is critical to knowing where to act and in what way. Therefore, access to detailed and real-time data on the functioning of the company's systems is essential. With this, an attack can be identified more quickly.
3. Define Incident Response Plan Responsibilities
Establish those responsible for each stage of the plan, providing their level of authority and the list of responsibilities. This step is important because it allows people to act faster.
Create a full-time team to handle incident response or train staff to be on call. Professionals must have sufficient authority and responsibility to make the necessary decisions quickly.
Quick response to incidents is crucial on holidays and weekends because there is often a reduction in company protection. We know that Ramsonware is detonated every day of the week, as seen in the data below from RiskRecon.
4. Security Partners
Asking for help is no shame. On the contrary. Having reliable suppliers can prevent huge damage to the company. Therefore, it is important that these partners are mapped and that the team responsible for cybersecurity has easy access to the list. These contacts may include government security officials, privacy regulatory authorities, audit committees, press offices, etc.
5. Easy Access to CIRP
Another key point is to ensure that all employees and people relevant to the company have access to the CIRP. There's no point in putting together an incredible and complete plan if no one knows it exists. It is also important to consider a backup so that the document is accessible even if the internal servers are compromised.
6. Constant Training
Employees must be trained and have clarity on the steps that must be followed in the event of a threat, as well as their responsibility in attack situations. Training is best delivered little and often, just as software and systems must be updated periodically to stay ahead of the latest threats.
The Importance of Simulated Attacks
One of the best ways to equip employees with the skills to respond to attacks is with simulated attacks. They are designed to test everything that was established in the plan and delivered in training.
One of the most effective training programs is the Red Team Exercises, which simulate the conditions of an attack to identify vulnerabilities in your company's system. This type of exercise is critical to testing an incident response plan before it is done by a real hacker.
Why You Need A Post-incident Response Plan
A post-incident response plan helps the company to be more protected from the next attack.
This involves documenting everything to form history and feed a repository that will help the company to be more prepared for future attacks. Including the actions that were taken, the protocols that were made, and the measures that effectively eradicated the incident.
There are several CIRP frameworks. The National Institute of Standards and Technology (NIST) is one of the most recognized and includes four steps:
- Detection & Analysis
- Containment Eradication & Recovery
- Post-Incident Activity
The unique part about the NIST approach is it foresees a non-linear action. That is, the plan must always be revisited and updated according to new information, new threats, and new skills of the team.
Likewise, after an attack, the plan must be updated. This can be taken a stage further by exchanging incident breach experiences with other companies can help your organization to be more prepared.
Here are some questions that can help when it comes to updating the plan after an attack:
- What attack was carried out and at what exact moment did it take place?
- What was the cybercriminal's entry point?
- Who perceived the threat and at what time?
- What was the first act after the incident was detected?
- How was the team informed about the problem? What was the team's reaction?
- What steps were taken to combat the problem? Who led this process?
- What were the positives and negatives of the responsible team approach? What is the lesson in preparing for the next incident?
- How can we prepare ourselves not to leave gaps and not suffer from this type of vulnerability in the future?
- Can any tool or system help us detect this type of vulnerability and respond more quickly to this type of attack in the future?
- What aspects, learned from this incident, can we include in staff training so that staff is better prepared?
Research shows that having a Cybersecurity Incident Response Plan (CIRP) significantly reduces the cost of a cyberattack on a company. However, many companies don’t have a robust plan in place or fail to update them consistently. To be effective, a CIRP must be constantly revisited and updated.
In this article, we have highlighted the importance of having an incident response plan, best practice examples of incident response plans, the 6 key 'must haves' in every Incident Response Plan, and why you need a post-incident response plan.
Need help creating your CIRP?
Need help creating a cybersecurity incident response plan? CyVent has access to the leading IR solutions. We rigorously curate our approved partners and monitor all stages of implementation. We also carry out training and tests that will raise the level of your company's response and make it more prepared to face threats.
CyVent experts are on hand to help you create the plan, train your employees, and choose the right tools to protect your business.
If you want more information, book a call on https://www.cyvent.com/assess-company-cyber-threats/