Ten Steps to Planning an Effective Cyber-Incident Response

HBR Blog Network

by Tucker Bailey and Josh Brandley  |  12:00 PM July 1, 2013

• Comments (1)
•        

With cyber criminals successfully targeting organizations of all sizes across all industry sectors, organizations need to be prepared to respond to the inevitable data breach.

A response should be guided by a response plan that aims to manage a cyber security incident in such a way as to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs.

We've found in our work with large global organizations that many companies do have response plans but don't truly operationalize them. Often, the documentation prescribing how to act in the event of a breach is out of date, inaccessible to key decision makers, generic, unhelpful for guiding specific activities, or some combination of the above.

In many cases, especially in global organizations, response plans aren't integrated across business units. Developing individual plans in silos inhibits the sharing of critical information and best practices and leads to a lack of coordination during large response efforts.

And too many plans sit idle. Organizations that are highly conscientious about practicing fire drills fail to rehearse the steps they would take in the event of a data breach.

Here are 10 principles to guide companies in creating — and implementing — incident-response plans:

1. Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
2. Develop a taxonomy of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
3. Develop easily accessible quick-response guides for likely scenarios.
4. Establish processes for making major decisions, such as when to isolate compromised areas of the network.
5. Maintain relationships with key external stakeholders, such as law enforcement.
6. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
7. Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
8. Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
9. Identify the individuals who are critical to incident response and ensure redundancy.
10. Train, practice, and run simulated breaches to develop response "muscle memory." The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers' awareness and fine-tuning their response capabilities.

An effective incident response plan ultimately relies on executive sponsorship. Given the impact of recent breaches, we expect incident response to move higher on the executive agenda. Putting the development of a robust plan on the fast track is imperative for companies. When a successful cyber attack occurs and the scale and impact of the breach comes to light, the first question customers, shareholders, and regulators will ask is, "What did this institution do to prepare?"