Incident Response Plan: Planning for SMBs

A Comprehensive Guide with Steps & Advice From Duffy Compliance 

“It doesn’t matter what kind of business you have. Everyone should have an Incident Response Plan (IRP)”. That’s the advice of cybersecurity guru and president of Duffy Compliance, Shawn Duffy.

With an impressive 32 years of experience, Shawn has witnessed the evolution of cybersecurity. Not only was he at the forefront of implementing some of the very first firewalls and VPNs, but his expertise has been sought after by some of the nation’s most valuable entities, including The Department of Justice (DOJ), the Department of Education (DOE), and even the National Football League (NFL).

The California Government Department of Technology has also emphasized the importance of IRPs, providing a 17-step procedure for creating incident response plans, including detailed plans for specific incident types such as malware, system failure, and active intrusion attempts.

So when Shawn tells you an IRP is crucial for your business, he’s not speaking lightly. Lucky for me, he’s also a professional acquaintance of mine. So, to help give this guide some added expertise, I hopped on a call and had Shawn walk us through why an IRP is such a critical piece of the cybersecurity puzzle and how you can best construct one to minimize the financial and reputational damage of any type of security breach.

In this post we’ll discuss the following:

  • What is an Incident Response Plan (IRP)

  • The Importance of an IRP

  • The 7 Phases of Incident Response

  • Steps for Creating Your IRP

What is an Incident Response Plan (IRP)?

An Incident Response Plan (IRP) is essentially a roadmap for managing cybersecurity threats and mitigating their overall impact on your business. An incident response plan template is available to help organizations create their own plans, providing a pre-structured format that outlines the necessary steps to take before, during, and after an incident to mitigate damage and recover swiftly.

It is a written document that details the steps you will take to prepare for, respond to, and recover from a cybersecurity incident of any kind.

The Importance of an IRP 

“I guarantee you, big company or small company, When you have a cybersecurity incident, you panic. It’s human nature. It’s how you recover from that moment of panic that is critical. Having a clear plan and designated individuals to respond effectively to a cyber attack can significantly minimize damage and recovery time.” This is how Shawn describes the importance of an IRP. Essentially, it provides three main benefits:

Clarity & Peace of Mind

“One of the biggest things an IRP does is introduce some calm into a crisis situation. Because now you have a plan”, Shawn explains.

An IRP gives you a detailed game plan to follow in a moment of extreme pressure where every minute counts. These incident response procedures provide clear, step-by-step instructions based on the incident response policy and plan, addressing all phases of the incident response lifecycle. By having a well-structured plan in place, businesses can effectively manage the chaos that often accompanies cyber incidents and ensure a more controlled and efficient response.

Limiting Financial Repercussions

“What we try to stress to people is look, it’s a lot cheaper for you to do your due diligence ahead of time than recover from it on the back end.”, Shawn says.

Organizations with a well-defined incident response process can typically expect faster restoration of any affected systems and, as a result, minimized financial repercussions.

A recent study by IBM backs this up. According to the report, organizations with a regularly-tested IRP save an average of $2.46 million per breach.

Adhering to Compliance Regulations

In the event of a breach, and depending on your industry, you might also be required to report the details of the security incident and the steps you took to prevent it from occurring.

An IRP is crucial for complying with these regulations as it gives you a structured approach to managing and reporting cybersecurity incidents, helping you avoid massive fines and other potential legal repercussions.

The 7 Phases of Incident Response 

The National Institute of Standards and Technology (NIST) framework outlines seven critical phases of incident response to ensure that organizations can effectively detect, respond to, and recover from incidents while continuously improving their security posture. Here, we’ll take you through each one with some relevant insight from Shawn. It is crucial to have a clear incident response strategy to guide these phases, determining the ultimate goals and scope, including recovery goals and limitations based on geographic locations.

Phase 1: Preparation

Preparation is the foundational phase of incident response, focusing on establishing and maintaining the necessary tools, policies, and procedures to handle incidents effectively. Key activities in this phase include:

  • Conducting risk assessments to identify potential vulnerabilities and threats.

  • Establishing an incident response team with clearly defined incident response roles and responsibilities.

  • Developing and documenting incident response policies and procedures.

  • Providing regular training and awareness programs for employees.

  • Ensuring that necessary tools and technologies (e.g., logging and monitoring systems) are in place.

Shawn’s advice: “One key part of preparation is building a starter kit that contains all the forms and processes you need to document an incident. If you have to go outside your organization and call in an expert like myself and you haven’t documented any relevant details about when the incident occurred or what exactly happened, it’s going to be much harder to help you.”

Phase 2: Identification

This phase focuses on recognizing a potential incident, confirming it, and quickly getting a sense of its nature and scope. Key activities include:

  • Monitoring systems for unusual or suspicious activity using tools like intrusion detection systems (IDS) and security information and event management (SIEM) solutions. Incident response teams play a crucial role in this process by establishing a formal incident response capability and developing procedures to effectively monitor and respond to threats.

  • Analyzing alerts and logs to determine if an incident has occurred.

  • Classifying the incident based on its type and severity.

  • Documenting your findings and notifying relevant stakeholders.

Shawn’s advice: “This is where technology comes into play. You want to get with service providers and investigate your options for solutions that monitor and identify threats. If you have Endpoint Detection Response (EDR) solutions and other monitoring software on your systems, the experts you consult with will have the necessary data to help you. If you don’t have that reporting, all the following steps become much harder.”

Phase 3: Containment

Containment aims to limit the spread and impact of the incident, preventing further damage. Key activities include:

  • Short-term containment: Implementing immediate actions as outlined in the incident management plan to limit the incident’s impact.

  • Long-term containment: Establishing more durable solutions to maintain business operations while addressing the incident.

Shawn’s advice: “When it comes to ransomware, we see people just shut the computer off and hope things are contained. But that hasn’t changed anything. Modern exploits are scripted to seek out everything the infected computer is connected to and quickly spread to those places as well. This is called lateral movement, and to limit it, you need to pull the device from the network by unplugging the ethernet, shutting off any wireless connection, and stopping it from talking to the rest of the network ASAP.”

Phase 4: Eradication

Eradication focuses on removing the root cause of the incident and eliminating any malicious artifacts from your environment. Key activities include:

  • Identifying all affected systems and components involved in security incidents.

  • Removing malware and malicious files.

  • Applying security patches and updates.

  • Conducting thorough scans to ensure all traces of the threat have been removed.

Shawn’s advice: “What we see a lot right now is hackers like to lay low. They wait for the opportune time to wreak havoc and attack as many critical systems as possible. So, it’s important to be especially thorough in this phase. ”

Phase 5: Recovery

Recovery involves restoring affected systems and services to normal operation while ensuring that the environment is secure. This phase includes implementing measures to prevent recurrence. Key activities include:

  • Restoring data from backups.

  • Rebuilding or reinstalling compromised systems.

  • Verifying that systems are functioning correctly.

  • Monitoring systems for any signs of residual threats to prevent future incidents.

Shawn’s advice: “Test your backups. Have you ever pulled your systems offline and tried to restore and run that entire system from your backup? That’s the only way you’ll be absolutely sure that you can recover.”

Phase 6: Lessons Learned

In this phase, you’ll focus on reviewing and analyzing the incident to understand what happened, how it was handled, and what improvements can be made for the future. Key activities include:

  • Conducting post-incident reviews and debriefs with the incident response team.

  • Documenting findings and recommendations for improvement.

  • Updating incident response plans and procedures based on lessons learned, utilizing incident response plan templates to streamline the process and tailor it to specific organizational needs.

Shawn’s advice: “All sorts of great improvements come out of the post-incident phase of the process. Maybe you didn’t have the correct chain of custody, or you didn’t document some of the initial steps the correct way, or you need to improve your differential backups. This is where you get better.”

Phase 7: Ongoing Improvement

Ongoing improvement involves continuously refining and enhancing the incident response plan based on lessons learned, new threats, and changes in the organizational environment. This phase ensures that the IRP remains effective and up-to-date. Key activities include:

  • Regularly testing and updating the incident response plan using incident response plan templates to streamline the process and tailor it to specific organizational needs.

  • Conducting continuous training and awareness programs.

  • Staying informed about emerging threats and best practices.

  • Incorporating feedback from incident response exercises and any real incidents themselves.

Shawn’s advice: “You always need to continually identify any new potential pitfalls and update your plans as you grow.”

Steps for Creating Your IRP

“IRPs must be custom-built because every business is different. Manufacturing is different than the medical industry because of the people involved, the level of urgency, and the fact that each business’s priorities are different in terms of what functions or data are most critical to them.” Shawn advises.

So, with that in mind, here we’ve given you high-level steps that can be tailored to fit your specific business and vulnerabilities. Additionally, incident response plan templates are available to help organizations create their own plans.

Step 1: Assemble Your Incident Response Team

  • Define Roles and Responsibilities: This includes identifying team leaders, specialists, and legal advisors. Establishing a formal incident response capability involves defining the roles and responsibilities of incident response teams, ensuring each member understands their duties.

  • Include Internal and External Experts: Identify internal staff with cybersecurity expertise and external consultants or partners who can provide additional support.

  • Regular Training and Drills: Ensure the team is well-trained and conducts regular incident response drills to maintain readiness.

Shawn’s advice: “Research any outside companies you’re thinking about hiring. I’ve seen some companies outsource training or risk assessments where I think – I’m sorry that you wasted your money on this.”

Step 2: Identify Vulnerabilities and Critical Assets

  • Conduct a Risk Assessment: Identify and prioritize the organization’s critical assets, such as sensitive data, intellectual property, and essential systems. As part of the incident response process, ensure that roles and responsibilities are clearly defined to effectively manage and mitigate risks.

  • Assess Potential Threats and Vulnerabilities: Evaluate the various threats that could impact you, including any internal and external threats.

Shawn’s Advice:* “When you’re a smaller business, we need to be very accurate about what systems matter most to your day-to-day operations. A risk assessment is absolutely crucial for SMBs because it allows them to spend their money where it matters most.”*

Step 3: Create a Detailed Response Plan Checklist

  • Develop Incident Response Procedures: Create detailed incident response procedures for responding to each different type of incident, including data breaches, malware outbreaks, and even insider threats. These procedures should be based on your incident response policy and plan, addressing all phases of the incident response lifecycle.

  • Document Incident Response Steps: Include step-by-step instructions for detecting, containing, eradicating, and recovering from those incidents.

Shawn’s Advice:* “An incident is not necessarily an attack. It could be environmental, a power outage, or even illness that spreads through your staff. Develop a plan for the ones that are most relevant to your business.”*

Step 4: Design a Communications Strategy

  • Internal Communication Plan: Establish clear communication protocols for informing employees and management about incidents as part of your overall incident response strategy.

  • External Communication Plan: Prepare templates and guidelines for communicating with external stakeholders, including customers, partners, and the media.

  • Notification Procedures: Define procedures for notifying regulatory bodies and law enforcement if necessary.

Shawn’s Advice:* “It’s important to know who you’re going to contact when you run into trouble. Most companies also have reporting requirements they need to comply with. And whoever it is you end up contacting, they’ll want to see the forms you, hopefully, created during your prep phase and filled out after the incident. So, have those ready.”*

Step 5: Test and Regularly Update Your Response Plan

  • Conduct Regular Tests: Regularly test the IRP through tabletop exercises and simulated incidents to ensure its effectiveness.

  • Review and Update the Plan: Continuously review and update the IRP based on the results of tests, new threats, and changes in the organizational environment.

  • Incorporate Lessons Learned: Use insights from past incidents and tests to improve the plan and better prepare for future incidents.

Shawn’s advice: “One of the most crucial things that we do to prepare is tabletop exercises, where we go through the whole process and say, these are the steps that you say you’ll follow, now let’s test it because nothing works better than exposing something to a real-life scenario in order to reveal its weaknesses.”

The bottom line is not having an IRP will leave you in complete chaos if any incident were to occur. This is particularly risky at a time when cyber threats are sharply on the rise.

And as Shawn explains, if you think you’re safe because of the size of your business, you’re playing with fire. “A lot of SMBs believe that they are insignificant in the larger landscape, so they won’t be targeted, and nothing could be further from the truth. The reality is hackers don’t care how big you are; what they care about is opportunity”, Shawn warns.

If you need help preparing for and deterring potential incidents or want assistance deciphering complex regulatory language, get in touch with Shawn at Duffy Compliance.

Or if you’re overwhelmed and need help finding the best cybersecurity solutions to keep you safe and secure, feel free to contact me at lenny@reliabletechnology.com