10 Things to Consider for a Cyber Incident Plan

We go out, we buy antivirus protection, we buy firewalls, we jump through hoops to keep bad things from happening. And when they do, we find ourselves trying to sort out what to do next. That’s the wrong time to be trying to figure that out. You need to have a plan, and in this case, a cyber incident plan. And you need it before things go wrong!

Most companies have a very simple plan. If something nasty is trying to get in, we simply drop the internet connection. Good plan, but it misses a few things: like how do you know when something or someone is illegally trying to get in? The majority of external hacks are discovered well after the attack, so that idea doesn’t work well. Your plan will need to address that. Before we start talking about the elements of the plan, I need to bring up one thing. Whatever plan you have needs to be constantly updated. The threat landscape is always changing, and you need to review your cyber incident plan at least twice a year to determine if it’s still valid or not. So probably the first big point to planning is to provide a review.

So, let’s look at something that needs to be done.

1. Somebody has to do it. An assignment as to who does it needs to made, and this individual has to be the one who plans and leads the effort across the different business units and possibly even office locations. One thing often missed is whoever does this has to know about IT, has to be a communicator, and has to be able to think beyond the confines of his office building. Sometimes this is given to the most overloaded guy, and either the task is done slowly, badly, or isn’t done at all.

2. Look at risks, threats, and potential failures. A common mistake is to make the assumption that you might be too small a target for a hacker to pay attention to this possibility. Yes, I’ve actually heard business owners say that, missing the point that they’re exactly the kind of target a hacker would be interested in. Part of the point here is that hacker attacks aren’t the only threat out there. How about simple, everyday viruses and malware? Things like that can cripple a small business just as fast and just as well as a larger company.

3. Research some quick response guides. Doing a search on how to respond to a cyber intrusion or a virus threat will give you plenty of information and guidelines.

4. A good thought process for making decisions is invaluable. We also need to determine who makes the decisions to isolate certain parts of networks, shut down servers, etc. Also, you’ll need to provide for alternatives, meaning who else can make that call (the guy in charge never seems to be around when things go wrong).

5. Keep a working relationship with law enforcement. While many law enforcement agencies are ill-equipped to handle cyber incidents, they are also the gate keepers to other resources. In the United States, for example, The FBI and the Secret Service are charged with investigation of cyber crimes. A web search will probably reveal what law enforcement units in your country could assist. Also, many governments reach out to local business and offer training, meetings and other ways to help in case of cyber incidents. Take advantage of these resources. Often they lead to good contacts.

6. Know local experts such as forensic specialists. While we might want to have them on at least a retainer, knowing who they are and how to contract their services would be a big help. Incidentally, you might want to know the criteria outlined under the laws of your nation/state/province – whatever the law considers a forensic expert. Some have some rather specific guidelines on what constitutes a cyber forensic expert.

7. Make sure that documentation is available for everyone. While you might be tempted to put it on a corporate intranet (not a bad idea), always keep hard copies handy. Murphy’s Law states that the first site to go down in an attack will be the site that has your plan on it. Also, make sure you keep it up-to-date, as previously mentioned, and provide a way to track updates and routine reviews.

8. Training. A plan is fine, but unless people know their roles and jobs, it’s pointless to have one. The old expression goes that “Security is Everyone’s Business”, and we need to make sure that every team mate has been briefed on at least basic network security. This should be done on intake and repeated at least once a year. Additionally, the security team needs to be the ones who give out warnings of new threats, issues, etc. Too often uninformed, but well meaning people put out information, and all it does is confuse issues. Also, your decision makers need to be briefed on their duties and refresher training needs to happen regularly.

9. Identify the people who are critical to your response, make sure they know it, are well briefed, and know who can make the call if they aren’t around. Grandpa always said that “if a man repeats himself, either he’s gone senile or has something important to say”. So hopefully this is important.

10. Practice… Practice… and practice some more. The best plans in the world mean nothing if they haven’t been at least tested. The easiest way to practice is in what we call a “Tabletop exercise”. In this, we get all the principals around, you start with a potential scenario, and let people react like they would if it was real. Table tops are great for finding out if the plan will actually work or not and afterwards you can make adjustments as needed. It also has the advantage of making your users and decision makers start thinking in terms of security and helping them to understand the decision making process.

A final word here. Planning can’t happen in a vacuum. Someplace, somewhere, there has to be executive leadership or sponsorship. Given what’s been happening in the cyber realm recently, security
is something every business owner needs to be looking at so it might be an easy sell. Change auditing is a must in this situation, above all listed points. Still, there’s the attitude that this kind of stuff happens only to the big companies, and if your management has that mentality, you need to educate them. One of the biggest  and most common questions is “just what did you do to prepare for this?”. If management won’t buy off, the best advice I can give is prepare the best you can and be ready to offer a solution when it does happen. Remember that vision is a function for good leadership and if you have a plan, that makes you king.


Richard is a freelance IT consultant, a blogger, and a teacher for Saisoft where he teaches VMware Administration, Citrix XenApp, Disaster Planning and Recovery for IT, and Comptia Server+