Practice Four: The Importance of Having an Incident Response Plan

Cyber: Prepare, Prevent, Mitigate, Restore

Incident response

Despite an organization’s best efforts, cybersecurity breaches will occur. When you are faced with a cyberattack, the first question that inevitably comes to mind is “What will we do?” Being prepared means asking that question before something happens.

Once the alarm sounds, how should an organization respond? One of the most important parts of an incident response plan (IRP) is ensuring that both electronic and physical copies of the plan exist and can be easily accessed at a moment’s notice, even if the organization’s computers are down. Why is this so important?

  • A cyber incident isn’t just a computer problem. It’s an operational problem.
  • An organization shouldn’t have to rely on its employees’ memories during a crisis.
  • Incidents tend to happen at the worst possible time – such as when key players are on vacation or during peak sales periods.

The IRP does not have to be highly sophisticated, but it does have to be detailed enough to document who does what, how it is done and when it gets done. Documentation is especially important in case those responsible for executing an organization’s IRP are not available.

Quote Icon

If you don't have a plan that addresses the technical, legal and risk management components that simultaneously ensures that the right stakeholders are identified and appropriate containment efforts are taken, you will be starting at a disadvantage.

Jennifer Coughlin headshot

- Jennifer Coughlin

Founding Partner, Mullen Coughlin, at the Travelers Institute event “Cyber: Prepare, Prevent, Mitigate, Restore®: NYSE”

According to Tim Francis, Travelers’ Enterprise Cyber Lead, the goal of an IRP is to provide a clearly defined, focused and coordinated approach to responding to cyber incidents. This will enable the organization to limit the damage and expedite a return to normalcy. Having an IRP in place and testing it before you need it is one of the basic tenets of good cyber hygiene. Yet, according to the 2024 Travelers Cyber Risk Index, 47% of organizations fail to do so.

“Compared to all other business and societal concerns, cybersecurity remains one of the top concerns across the businesses we survey,” said Francis. Acknowledging a range of cybercrimes, like social engineering fraud and business email compromise, he stressed that “there’s a host of other things that an IRP can help you address.”

Francis offered six useful tips for crafting an IRP:

  1. Identify and prioritize your organization’s risks.
  2. Have a communication strategy that includes multiple means of contact.
  3. Determine how and who will be responsible for collecting evidence.
  4. Know who will get backups ready to bring your organization back online.
  5. Develop and document a practical plan that meets your organization’s specific needs – then practice and update it regularly.
  6. Have a paper copy of your plan at the ready.
Quote Icon

Your incident response plan should include contact information for your insurance carrier and broker or agent. If your business or the business you’re working with doesn’t have an incident response plan, it should start preparing something immediately beginning with this information.

Edward Chang headshot

Edward Chang

federal cybercrimes prosecutor, at the Travelers Institute event “The Fight Against Cyber Crime – from Prevention to Prosecution”

Getting back to business with limited impact after an attack is only one benefit of having a plan. An IRP also demonstrates to an organization’s partners, suppliers and clients that it takes cybersecurity seriously.

Quote Icon

Having a well-thought-out and documented plan is critical so you don’t have to rely on your memory during a crisis.

Ken Morrison headshot

- Ken Morrison

Assistant Vice President, Cyber Risk Management, Travelers

According to Ken Morrison, Assistant Vice President of Cyber Risk Management for Travelers, an IRP is not merely a reactive measure; it’s a vital part of an organization’s overall cybersecurity strategy. It instills a proactive culture of preparedness and resilience, providing a road map for dealing with the unexpected, helping to protect and even enhance the organization’s overall well-being.

cybersecurity

Empowering organizations to tackle evolving cyber threats

Cybersecurity threats affect businesses and organizations of all sizes... Our Cyber: Prepare, Prevent, Mitigate, Restore® initiative promotes dialogue and education to help leaders prepare for and respond to cyber incidents.

Learn more