The Importance of an Incident Response Plan

Cybersecurity is vitally important in today’s world of highly interconnected networks, systems, and devices. Every day it feels as if we’re barraged with a plethora of threats. Most of us want to try to get through the day without doing something that leads to a cyberattack that compromises infrastructure, disrupts operations, or leads to a data breach. Data breaches are especially egregious for public safety and justice organizations because of the sensitive data they possess. 
The cybersecurity effort of most organizations focuses on prevention, as well as it should. The more difficult an organization can make it for cyberattackers to gain entry to its networks, systems, and even devices, the better. The adage, “an ounce of prevention is worth a pound of cure,” rings true. Prevention is achieved via the following:

• Technology — Endpoint protection, sophisticated firewalls, and virtual private networks
• Tactics — Network monitoring, penetration testing, and vulnerability scans
• Policies — More-complex passwords and regular refreshes, controls to prevent personnel from going to malicious websites, and training to thwart phishing exercises. 

All of the above is logical and effective — to a point. The sobering reality is that no matter what an organization does to prevent a cyberattack, it never will keep ahead of cyberattackers, who are highly intelligent, persistent, and motivated. Equally sobering is that they increasingly are targeting public safety and justice organizations. It is highly likely that a cyberattack eventually will occur that impacts your organization, personnel, and stakeholders.

Consequently, organizations must develop, implement, and regularly review/test a cybersecurity incident-response plan. This is a written document approved by senior leadership and will help your organization during and after a cybersecurity incident. This plan should be a living document that is evaluated and tested regularly, at least annually. The following are the key aspects of such plans:

• Develop an incident-response plan
  • This might seem elementary, but the reality is that most public sector organizations don’t have one — this is the critical first step
  • Before crafting the plan, get the buy-in of senior leadership — if a cyberattack occurs, you’ll need their support to execute the plan.
    
    
• Create and train an incident-response team 
  • Identify specific roles, responsibilities, and personnel who will fill them.
  • Develop a succession plan to refill roles when personnel leave the organization — it is important to do this before a cyberattack occurs.

• Regularly test and exercise incident-response procedures
  • Attack vectors change continually, so staying up-to-date and adapting procedures is important. 
  • Regularly testing and exercising procedures will help to ensure that personnel are familiar with them and adept at executing them instinctively. When a cyberattack occurs, time is of the essence, and personnel should avoid leafing through the plan document. 
    
    
• Track, document, and report cybersecurity incidents both internally and externally
  • This is particularly important. Understanding what happened and identifying the root cause is the key to preventing a recurrence. 
  • Doing this also will enable the organization to fulfill existing reporting requirements and enable timely and accurate communication with officials, stakeholders, citizens, and mainstream/social media.
    
    
• Implement lessons learned
  • Organizations always can improve. Use what was learned to improve and/or expand the plan and its processes. 

Some organizations have the information technology (IT) and cybersecurity expertise to develop an effective incident-response plan. But even if yours is one of those organizations, remember that cyberattack strategies and tactics evolve continuously and often at warp speed. Consequently, it is extremely difficult, if not impossible, to stay abreast without the help of external experts focused specifically on cybersecurity, such as those at MCP. And suppose your organization lacks the requisite expertise. In that case, we have plenty of resources to help steer you in the right direction and help you navigate this extremely important journey — please reach out.

Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com.