As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.

Cybersecurity Incident Response Planning: Expert Tips, Steps, Testing & More


Cybersecurity Incident Response Planning: Expert Tips, Steps, Testing & More

Author photo
Digital Guardian

33 cybersecurity experts offer recommendations for building an effective incident response plan.

Awareness is growing that all companies, including both enterprises and small- to mid-size organizations, need a cybersecurity incident response plan. No organization, regardless of size, is exempt from cybersecurity threats, and having an established plan of action that immediately executes following a security breach is crucial to limit incident costs and damages to the company’s reputation.

Of course, there are hundreds of possible considerations – not to mention moving parts – that must all fit together seamlessly and execute flawlessly for successful incident response. Some companies, particularly those that haven’t yet experienced a major cyber security attack, don’t know where to begin, let alone what to prioritize. To shed some light on this pressing issue, we turned to a panel of cybersecurity experts and industry professionals and asked them to weigh in on this question:

“What are the most important considerations when developing a cybersecurity incident response plan?”

Find out what our experts had to say about the most crucial considerations for companies developing their cybersecurity incident response steps below.

Robert Munnelly


Robert Munnelly practices in the Regulatory area at Davis Malm. He has extensive experience with legal, regulatory, and local taxation issues faced by energy, cable television, and telecommunications companies in New England and nationally. Rob represents companies in all six New England states in obtaining utility commission and local licenses, advocating for changes in existing regulatory requirements and market design, and supporting development of renewable and conventional energy projects.

“There are six important steps in developing a cybersecurity incident response plan…”

For companies holding federally- or state-protected personal information, personal health information, or even trade secret information, developing an effective incident response plan (Response Plan) is crucial. In fact, a Response Plan is almost as important as the written information security plan (WISP). Companies such as Target, E-Bay and Snapchat experienced financial and reputational harms following recent breaches at least in part attributable to slow moving and ineffective response actions. The same has been true for smaller companies that have mishandled computer incursions or lost unencrypted laptops or data disks and been subject to adverse publicity and governmental sanctions. Whether or not these companies had Response Plans in place, they failed to adequately execute after their respective data breaches.

An effective Response Plan needs to guide company personnel at all levels in managing a potential data breach in a way that supports rapid and thoughtful response activities. For all companies, and especially those with substantial exposure to data liability, Response Plans must be considered an integral part of the WISP, and should include the following key elements.

1. Assemble an Internal Team

Companies with significant protected information should go beyond referring breach questions to the WISP responsible manager and formally establish a breach evaluation and response team to guide the company’s actions following a breach of substantial protected information (excluding a lost laptop or mis-sent email disclosing information of only a limited number of employees or customers). The size of the team will depend on the geographic reach, sophistication and data loss exposure of the company, but it can include:

  • the WISP responsible manager;
  • legal counsel (both internal and outside counsel);
  • an information technology manager;
  • a human relations manager;
  • an operations manager; and
  • corporate communications and government affairs personnel.

At minimum, the team should be tasked with advising top management and corporate boards of key breach and response developments; communicating internally to all employees that the potential breach has occurred, an internal team is addressing it and, critically, that internal emails by non-team members should be avoided in order to limit liability through uninformed speculation that may be discoverable in a subsequent breach-related litigation; tracking and meeting all applicable breach-related deadlines imposed by applicable law and vendor agreements; and making sure internal discussions and response plans are protected by attorney-client privilege and/or work product protections, to the greatest extent possible.

2. Identify External Data Security Resources

Breach developments can get out of hand before the company can identify, interview and hire the experts needed to help the company meet breach-related obligations and minimize liability. A good Response Plan will identify each outside resource, provide full contact information and include a backup person in case of unavailability. With respect to specific resources, in addition to experienced legal counsel, the following should be considered and made available in advance:

computer forensics experts who can image a potentially compromised computer, server or network, confirm and analyze the extent of incursion, and fix the problem;
public relations professionals who can help with public-facing statements and press contacts if the breach is publicized;
operations personnel who can help with dissemination of Response Plan-related information and action items as well as website changes and short-term call center expansions if needed to meet consumer information needs; and
insurance brokers who can swiftly identify available breach-related benefits under general policies and, where applicable, specialized cybersecurity policies and help provide formal loss claim notices.
3. Differentiate Breaches

The Response Plan should have sufficient flexibility to establish an appropriate and effective process for different types of breaches. For example, while minor breaches can be left to the discretion of the WISP responsible manager, others may require consultation with the full response team and across offices. Additionally, different personnel may need to be on a team depending on the significance of the breach (whether it is at a mid-size or company-threatening level), type of breach (whether computer incursion or insider employee data theft) or type of the information at issue in the breach (whether the breach involves social security numbers, credit or debit card numbers, personal health information or trade secrets).

4. Create an Action Item Checklist

Well-crafted Response Plans for larger companies should include a checklist of prioritized action items to be completed immediately after the company learns of a potential significant data breach. Some key items include:

  • recording the date and time the breach is discovered;
  • finalizing and activating both the internal and outside response teams for the type of breach;
  • establishing a secure perimeter around any equipment or systems believed to be part of a breach and taking potentially compromised system off-line to avoid additional incursions;
  • conducting initial interviews of those with critical knowledge of the potential breach;
  • getting forensics personnel on site to make a secure copy of the affected systems so they can be fixed without compromising assessment of the manner of breach; and
  • beginning to discuss action items to be undertaken over the next day or days.

Importantly, for hacked computer systems, companies should try to avoid making public statements until forensics determines an unauthorized incursion occurred. A false alarm can do serious and unnecessary harm to the Company’s reputation.

5. Track Key Breach-Related Rights, Obligations and Deadlines

While any well-constructed WISP should identify the key legal obligations the Company must meet under applicable state or federal laws, especially any deadlines for reporting or responding to potential breaches, the Response Plan should track all data security-related deadlines. This is particularly true for bi-lateral contract security provisions with your vendors (or involving you as vendor with your client companies) that require additional data security-related notice, reporting or task completion deadlines. These should be tracked so deadlines and obligations are not missed through inadvertence or oversight.

6. Review and Update the Response Plan Regularly

Even more important than the WISP itself, a Response Plan needs to be regularly reviewed and updated – at least once per year and more frequently for larger companies. Internal and external personnel change, provider retention agreements can expire or terminate, new business lines with new risk profiles can be added, new contracts granting new data security rights and responsibilities can be entered into. The Response Plan should change to reflect current data at all times and, in particular, service provider arrangements should be kept current so external professionals are available when needed.

Given that breach-related harms for larger multi-location companies can run into the tens or hundreds of millions of dollars, such companies with data liability risks should consider running incident response “war games” to test the performance of the Response Plan team, top management and affected business units in various breach scenarios.

To wrap up, mishandling the breach due to inadequate planning and a failure to undertake foreseeable advance planning can make a bad situation even worse. Any company with the foresight to develop a good WISP also should have in place a strong Response Plan.

Bill Ho


Bill Ho is a cybersecurity expert and CEO of Biscom, a leading edge secure document and messaging solutions company that enables firms to share and store documents securely. Over his 20 year career, Bill has worked closely with various companies in the healthcare, financial services, government, and legal spaces.

“Cybersecurity incident response plans are multifaceted, so it’s hard to narrow down the most important considerations…”

A response to a breach or cyber attack involves many different stakeholders from IT to legal to PR to the executive management team. However, if I had to focus on a few areas, I would invest substantially in creating good documentation, training, and dry runs. A written plan and defined procedures help ensure everyone understands the concrete cybersecurity incident response steps that need to happen and clearly specify each person’s role. While each incident will be unique, laying out general rules and heuristics and running tabletop exercises can quicken reaction times when a real incident occurs. Practicing what you envision as a response will give great feedback to the process and help identify any areas that may not be optimal.

Dr. Chris denHeijer, D. CS


Dr. Chris denHeijer is the Lead Faculty for the Management Information Systems and Business Analytics Degree Program at Colorado State University-Global Campus. He has been actively working in the Aerospace industry for 30 years and is currently focused on project management and cybersecurity. Dr. denHeijer graduated with his first MBA from the University of La Verne, received a second Masters’ Degree with a concentration in Computer Security from CTU Online and a third Masters’ of Science in Management (MSM). In addition, he completed a Doctorate Degree in Computer Science and Enterprise Information Systems from CTU. He lectures on a wide variety of information technology topics as a published author and has written articles on malware and wireless technologies. However, he most enjoys teaching as an adjunct professor and sharing knowledge.

“Hackers can take advantage of any type of vulnerability; even if that risk is perceived as low. When teaching students how to develop an IRP (Incident Response Plan) I explain that there must be…”

A comprehensive understanding of the current computer and network environment at the company. What are the risks as well as the strengths? Since students at CSU-Global are typically working adults, I ask them to look at previous incidences (breaches) and document “lessons learned”. They evaluate the current resources available to support the IRP recognizing that both company policies as well as upper management must support the plan. Once there is a better understanding of the risks and previous breaches, the company can begin creating the IRP.

The IRP would include an IRT (Incident Response Team). Within the IRP there should be defined processes and documentation used by the team. The IRP would include defined roles and responsibilities for the IRT as well as clear communication methods. Physical security is often overlooked but is a valuable component. The IRP should consider network, computer and physical security. Once the plan is in-place the IRT should test the plan regularly. It should not just sit on a shelf because it is a compliance requirement, but evaluated on a regular basis. It is recommended that the plan be tested at least quarterly and updates made as needed. If a breach occurs, the cybersecurity team would want to look at “lessons learned” and conduct a “root cause analysis” so they can make improvements to the Incident Response Plan.

Joseph Riccie, CPA


Joseph Riccie, CPA and Partner, has over 30 years of financial, human capital and operational management experience collectively. He leads WithumSmith+Brown’s Management Consulting and Cyber Secure Services practice, specializing in managed programs and leading change enablement and enterprise transformation programs.

“A Cyber Incident Plan is a similar thought process to creating a Disaster Recovery or Business Continuity plan, but with more focus with a specific risk…”

If you’re preparing the Incident Plan, by now you have identified what is most important, your crown jewels that need to be protected. A cybersecurity risk has the potential to not only be an outward intrusion but also the work of a malicious insider. Most of us are aware of the current story around a contractor downloading confidential files and stealing paper documents from the NSA.

The Incident Plan should be based upon the risks of attack scenarios as the detail actions to be executed will vary. The plan should be specific by role or position within the organization. It should also be communicated to all parties with responsibility to act and rehearsed in a mock attack. In the same way our law enforcement professionals train and act out simulated terrorist attacks, any implemented plan (Incident, Disaster Recovery, etc.) companies should go through simulations. There is a difference between talking about and acting out. We suggest that organizations implement advanced penetration tests and engage the services of a Certified Ethical Hacking Team, the white hats, to test your cybersecurity plans.

Every Incident Plan should have communication protocols for informing state, local and federal government agencies. Most U.S. states have cyber breach notification laws so get to know what is expected at all levels.

Greg Kelley

Greg Kelley is CTO for Vestige Digital Investigations, a company the performs computer forensic services and data breach response for organizations.

“A company must consider that a cybersecurity incident response plan will balance two opposing forces…”

The need to get systems back up and running normally as soon as possible and the need to preserve evidence for an investigation. Depending on what the breach is, an investigation will likely need to be performed to determine what data may have been taken and whether that triggers any notification requirements. A plan that doesn’t consider the preservation will instead just look to restore systems to a properly functioning state. Quiet often that restoration will destroy the evidence needed to conduct an investigation. On the flip side, a plan that just considers preservation may not meet the needs of business continuity. Therefore the plan must balance these two forces. Determining the proper balance likely depends on what systems are affected. A company may have different preservation and restoration procedures for a website, email server, ERP system or workstation. Of course, with all response plans, a cybersecurity incident response plan should be tested to insure thoroughness and reviewed periodically as company requirements are likely to change over time. Any plan should also start with an assessment or audit of systems so that the right systems are included in a plan.

Jack P. Healey CFE, CPA/CFF


Jack Healey CPA/CFF, CFE, CEO of Bear Hill Advisory Group, LLC, is an expert in operational, financial and organizational crisis management, strategies and tactics. He is an expert in Cyber Incident Response strategies and tactics and has consulted Fortune 50 as well as small companies on the preparation, identification, remediation and recovery from Cyber Incidents.

“When developing a Cyber Incident Response plan there are three areas which I see clients fail to focus on – any of these deficiencies will render the plan ineffective…”

1) Make-up of the Cyber Incident Response Team: Too many CIRPs originate in the CISO’s or CIO’s office and they fail to view IT Security as a Business Issue not an IT Issue. So while most Cyber Incident Response Teams (CIRT) include the CISO, Legal, Human Resources, IT Security, and Communications, they often overlook Insurance (Risk), Customer Service/Sales, Supply Chain (more than 50% of breaches are the result of supply chain relationships), Internal Audit, Brand Management, Division Presidents (especially for multi-national groups) and other key business and brand decision makers. Also, failure to inquire of the Board of Directors when/how they wish to be notified is a key failure. Many executive teams ‘tell’ the Board when they will be notified. Serving as Audit Committee Chair and as a Board member for Public Companies, it is much better to ask the relevant committees under what circumstances they wish to be notified.

2) Failure to develop a plan tailored to their specific company. Many companies today are under pressure from their Board of Directors or Insurance carriers for a CIRP plan. Some start with the NIST Computer Security Guidelines, but fail to tailor the plan for their company. Consider a company that has recent acquisitions and needs to have procedures on integrating cybersecurity into the plan. Many acquiring companies will firewall the data, but allow other connectivity which will expose data to a breach. They fail to adequately adhere to stringent encryption policies while interacting with an acquired company which has yet to be sufficiently vetted as cybersecure. One of my clients was on site at several Fortune 100 manufacturers supplying them consumables for their manufacturing – their CIRP was not tailored to their clients, so when a breach was discovered there was not a comprehensive solution to deal with all of the connection points. Their only recourse was to ‘go offline’ which shut down manufacturing at their customers’ plants. The CIRP plan was a ‘check the box’ and the CIRT was devoid of any operational management. The impact to their brand and customer relations lasts to this day.

3) Failure to adequately test the plan and review ‘hot wash,’ or after action reports from actual events, and incorporate lessons learned into the plan. Many companies will take the 11 test scenarios included in the NIST Security Incident Handling guide and test for these known breaches. We test companies with an escalating unknown breach which may look like one thing and be something else. This is not to ‘trick’ the client, but rather make a breach more realistic. In a crisis, half of everything you learn at the beginning turns out to be wrong, but you just don’t know which half. A third party should obtain adequate knowledge of the company’s procedures and security environment and then devise a tailored scenario for the company based on its risk and security profile. In addition, after an actual event, a third party should run the ‘after action’ exercise, acting as a facilitator to enable candid discussion of what went well and what should be improved. An independent party lead makes certain that all voices are heard and brings the perspective of an outsider who has walked through many after-action reports.

By focusing on the make of the Cyber Incident Response Team, tailoring the Plan to the specifics of your company and rigorously testing that plan, you can go a long way to improving the quality and efficacy of your Cyber Incident Response Plan.

Jason McMahan


Jason McMahan is the director of technology at Concept Technology Inc. Concept Technology provides IT services to small and mid-sized businesses in Nashville. James Fields founded the company in 2003 with a vision to be a company where the world’s top talent wants to work. Now with a staff of 50+ and growing, Concept Technology is one of the top IT companies in the region, serving 300 area businesses. The company was included in the top 20 of Entrepreneur Magazine’s list of most entrepreneurial companies. Concept Technology was named one of the Best Places to Work by the Nashville Business Journal eight years in a row. The company was also named to Inc.’s 500|5000 the last six years in a row, Fortune’s Inner City 100 list of the fastest growing inner city businesses in America in 2016, 2015, 2014, 2012 and 2011, and has received numerous Nashville Chamber of Commerce awards.

“Businesses with a well-defined response plan can maintain confidence, even in trying times, and restore normal operations quickly and efficiently. For those without a plan, however, the impact of a lengthy resolution time is often lethal. Overall, the most important rule when developing a cybersecurity incident response plan is…”

People first. The safety and privacy of data belonging to your employees and clients is always more important than saving assets or business recovery operations. It is important that your team understands this, and that it is a consistent element of your planning and message.

Below are some important steps to remember when developing a response plan:

Define key assets and threats.
When creating a cybersecurity incident response plan, you need to know what you are protecting and the inherent value of those assets to define how they should be protected. These assets could include proprietary data, network access, an accounting system, LAN files, digitally stored business documents and more.

Evaluate incident scenarios.
Once different assets and threats are identified, you can define scenarios. These scenarios should have pre-defined actions and provide guidance on appropriate responses. Common cybersecurity incident scenarios include malware infection, DDoS diversions, denial of service or unauthorized access. To quickly be alerted to these incidents, implement round-the-clock monitoring services into the plan for “watchdog” protection.

Determine the data recovery process.
Most importantly, without preemptive backup solutions, you won’t be able to counter a cybersecurity incident in a timely manner. Incorporate hybrid backup solutions that combine on-site and cloud-based services to manage control of your important data, and establish backup processes to determine how long you can go without access to these resources. When working in the aftermath of a cyber-attack, it is important that you retain the ability to focus on the most important systems first—some data or systems may be needed within the hour, while others may be fine if they are operational the next day.

Define the appropriate solutions.
Assess the appropriate approach and solutions based on the assets, scenarios and the data at risk. Solutions can range from recovering from tape backup or disk backup. Determining the appropriate type and level of protection ties directly to the business value of the asset, and how long you can work without it.

Train your team.
To effectively implement a cybersecurity incident response plan, train team members on cybersecurity policies in addition to roles and responsibilities in the event of an incident. By establishing protocols and performance objectives, the entire organization will be better equipped to quickly protect data and resume normal business operations.

Braden Perry


Braden Perry, is a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC. Mr. Perry has the unique tripartite experience of a white collar criminal defense and government compliance, investigations attorney at a national law firm; a senior enforcement attorney at a federal regulatory agency; and the Chief Compliance Officer of a global financial institution.

“The most crucial considerations in developing a cybersecurity incident response plan are…”

I work with a number of vendors on cyber intrusions and prevention. For outsider attacks, most of these attacks compromise legitimate websites to deliver malicious payloads which can then reach data. This can usually be prevented. While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized host and networks, and including an enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly. Generally, there’s more of a threat by insiders, either who have gone rogue or have negligently allowed malicious payloads to enter into the cyber environment. Unfortunately, there’s not much, besides compartmentalization and monitoring you can do if an insider wants to reach data. In the event of a malicious attack, a company should have systems in place to keep operational or at least backups where the company is not affected or very slightly affected. In the event of a total disruption of the business, it is too late to mitigate and you will likely see dramatic costs to the business.

Christopher Roach


Christopher Roach is Managing Director and National IT Practice Leader for CBIZ Risk & Advisory Services. Chris is an IT expert who offers cybersecurity solutions to clients nationwide.

“Having a proactive cybersecurity strategy is a company’s best defense against an attack. I advise businesses to follow the three R’s…”

Recognize: Identify the problem. As in any trauma situation, identifying the source of the incident is paramount to minimizing the damage the incident could cause. Internal controls will have a large role in indicating where incidents may be occurring. Monitoring logs and access to networks is especially critical because this is where signs of a breach will likely turn up.

React: Stop the incident. A company’s incident response plan to unauthorized access should be able to cut off the access point, slow down and stop the intruder and preserve the environment that has been compromised. This can be accomplished through proactive monitoring, user training and a layered security approach.

Recover: Repair the damage. The regulatory environment surrounding the compromised data may require long-term corrections to be implemented. First priority goes toward fixing the problems that led to the incident in the first place. Understand what incidents actually are considered to be breaches in the geographic areas where your business operates and the corresponding breach notification laws for each of these states and countries. Companies that tie incidents back to their third-party and vendor relationships should work with that company to understand what they are doing to prevent a similar event from occurring in the future. If the incident occurred through wireless access to the network, companies may want to consider strengthening encryption for wireless access, issuing unique user IDs and making passwords for access more complex.

Val King


Val King is president and CEO at Whitehat Virtual Technologies, a virtualization integrator, managed services provider and consulting services firm based in Austin, TX.

“In developing a cybersecurity incident response plan, consider the following…”

1. Develop a team to manage the response, key roles from IT, Operations, Executive & potentially PR/Marketing are part of this group.

2. Develop a communication plan in advance.

3. Consider all of the ways an incident may be detected (e.g. help desk, intrusion detection system, systems admin, network/security admin, staff, managers, or outside contact) and make sure there is a communication plan for each type.

4. Build out procedures for the most common types of events:

  • Worm response procedure
  • Virus response procedure
  • System failure procedure
  • Active intrusion response procedure
  • Inactive intrusion response procedure
  • System abuse procedure
  • Property theft response procedure
  • Website denial of service response procedure
  • Database or file denial of service response procedure
  • Spyware response procedure

5. Practice forensic techniques in advance so staff knows what to do. Develop procedures for reviewing system logs, evaluating gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.

6. Learn proper evidence preservation techniques — make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.

7. Develop procedure to notify proper external agencies and figure out how to do that in advance — notify the police and other appropriate agencies if prosecution of the intruder is possible.

8. Assess damage and cost — assess the damage to the organization from the incident itself and the containment effort (cash, lost business, reputation, etc.).

9. Conduct an event autopsy to review response, lessons learned, and update policies to do all you can to prevent the issue in the future.

Doug Landoll


Douglas Landoll, CEO of Lantego, LLC, is an author, security professional, and serial entrepreneur in the information security profession with over 25 years experience. He is the author of the recent book: Information Security Policies, Procedures, and Standards: A Practitioner’s Reference (CRC Press 2016).

“The development of any policy, procedure or process can be rather involved but here are a few tips for those looking to create and implement an incident response plan…”

Do: Start with a collection of IR plan requirements and objectives. This would include regulatory and customer requirements (e.g., HIPAA, PCI DSS) and business objectives (e.g., response times and recovery strategies).

Do: List 10-20 common (or foreseeable) incidents for your organization and ensure that the plan and procedures address these incidents. The IR plan can evolve and expand once it is in place to address unforeseen incidents.

Do: Include affected staff members in the development and review of the documents. Not only does this avoid the “not invented here” issue but this also ensures an inclusion of insights and current issues or successes in handling incidents.

Don’t: Rely solely on templates or example IR plans. Your organization, systems, staff members, customers, environment, and culture is unique. A cut and paste document may satisfy novice auditors but will not prepare your organization to respond effectively to information security incidents that are sure to happen.

Don’t: Create the IR plan in a vacuum. This document requires integration with other policies and procedures such as security awareness training, business continuity planning, account management, breach notification, procurement, and system monitoring.

Chris Duncan, CISSP


Chris Duncan, CISSP is a Principal Network Security Consultant for ITeck Solutions.

“Cybersecurity Incident Response Plans (CIRP), like computers themselves, are not as simple as they seem on the surface and should be modular…”

When considering your CIRP, breaking sections down into smaller elements may reduce the overwhelming nature of developing a comprehensive strategy. From the start, view the CIRP as a part of a larger IT master plan and how it interacts with the other components of that plan. Next, look at the CIRP from both reactive and proactive perspectives. Events that hold the potential of data loss should be treated the same as events that have caused data loss. From there, break down your actions into the key parts of incident response: Identify, Contain, Address, Recover, and Postmortem. Plan for both specific scenarios as well as general responses based on resources impacted and severity of incident. After the incident itself has been resolved, what a company does next from legal obligations to public relations, is just as crucial.

In the larger scheme of things, your CIRP should be a component of, and dovetail with, your grand IT master plan containing your policies and standards (rules of doing things), procedures (how to do things), the CIRP (what to do when things go wrong), and disaster recovery or business continuity (how to recover when things really go wrong). The CIRP itself is also broken down in to various components. These of course need to be highly customized to the specific needs, scenarios, and regulations of each individual firm. The goal of this method is to create a decision tree that no matter who “grabs the book”, they will have a tool to help them make a decision and take action quickly.

In incident response, time is critical; hesitation is damaging. The first compartmentalization of a broad CIRP is between proactive and reactive. Most people view incident response as purely reactive but it should be treated in a proactive manner as well. A user getting a new computer or a new phone is an incident. When they do so, the device being replaced becomes a potential conduit for data loss. Phones have company email, contacts and sometimes even password lists. Quite often, especially around the holiday times, the IT department is not even aware that someone has replaced their phone without taking necessary precautions. At a minimum, phones should be factory wiped before handing them down or trading them in. With new computer equipment, the former system’s hard drive needs to be securely wiped before being put back into inventory or disposed of. In general, try to think of any method or medium used to transmit or store data and determine what events put this data at risk. Those are your potential incidents and need proactive responses to prevent loss.

Reactive responses are innately more urgent. The common practice for incident response breaks down into the following steps: Identify, Contain, Address, Recover, and Postmortem. All of these cybersecurity incident response steps need to be swift but accurate. A misidentification or misdirection in action could cost time and data. Identification of an incident can come in many forms. Hopefully it’s from a deterrent employed detecting the incident as it’s happening so immediate action may be taken. All too often it’s after the fact when the detritus of a breach is discovered (where did that user account come from?) or when the ramifications are felt from data being publicly released (WikiLeaks) or used to compromise people (identify theft) or compromise resources (breaking into other systems).

Identifying is broken down into determining root cause and determining damage. It is critical to determine the actual root cause. You may be responding to “no one can access company files” when the actual incident you need to respond to is “one of our systems got ransomware.” The incident may seem to be “We’re under a denial of service attack,” when the real issue might be that attack is a smoke screen for the extraction of data (also known as a “sneeze attack”). Knowing the difference is key to reacting quickly and correctly.

Once the incident is identified, stop the bleeding. Containment can be broken down into two facets, active and passive, depending on the incident identified. If it’s an active incident happening right now, e.g., your files are in the process of being encrypted, data is being downloaded, or there is a denial of service attack, you might need to take dramatic action. This may be unplugging a system from the network or shutting down the company access to the internet. But do what it takes to stop loss of data.

By passive, we mean the damage has already been done. You’ve discovered someone has broken into your network, data was leaked, or a laptop was stolen. The response is still just as urgent, but you can be more precise in your tools and methods such as changing everyone’s password rather than cutting off the internet and stopping business. Addressing the problem is fixing the root cause. Someone may have stolen a password and broken in. You changed all passwords to mitigate the damage, but you still need to remedy the actual cause. Was there a key logger on someone’s computer? We’ll need to scan, find out and fix it in addition to the password changes. The addressing of an incident needs to be thorough; the cause may not be the cause. In our example, it may have been the key logger that gave away the password that allowed the breach, but it may have been a free game downloaded that allowed – and will allow again – the key logger to be installed.

Recovery is the most dependent upon being prepared before any incident has occurred, and arguably the one that should have the most resources and focus of a company because it’s not only essential to an incident response but to overall business continuity in times of disaster. Recovery may be divided into two phases: immediate/temporary and permanent. The goal in recovery from an incident, as it is during a disaster, is to first get the business working again, temporarily, and second to get back to a state of normalcy, permanently. If equipment or services are down, it may be running off of backup resources until the primary resources are restored. If data was damaged, it may be restoring from backups but then rekeying information until you are up to date.

During the recovery phase, keep in mind who or what is affected. Internal users? Outside customers? The company brand or intellectual property? With data breaches and compromised security, recovery is not limited to just the restoring of data or repairing equipment. Depending on the type of data and your industry, you may be required to disclose to governmental authorities and to the customers who might have been affected, that a breach has occurred, and possibly provide reparations such as free credit monitoring. Any medical information covered by HIPAA, any personally identifiable information, information that could be used for identity theft, or account information such as login names and passwords are all examples in which persons should be identified. This in turn impacts the company’s brand and reputation.

Disclosure is not necessarily always immediately after discovery. There are several cases of high profile data breaches in which the disclosure was years after the occurrence. Had LinkedIn announced their data hack in 2012 when it occurred, it would have been one of the largest breaches at the time. By waiting until 2016, the loss was rather small in comparison to Home Depot and Target and subsequently damage to the brand was minimalized. Between 2012 and 2016, the incident was under internal review and not considered closed yet, which would have triggered the requirement for disclosure. How and when you should notify depends upon the laws and regulations covering your industry, officers of your company, the marketing department or a damage control PR firm, and your lawyers.

The postmortem is lessons learned, and like the rest of our steps, is done in two parts: how did we handle the situation; can we do better? And how do we prevent it from happening again? Postmortems are essential. They improve the process and prevent recurrence. Unless gross negligence was at the heart of the issue, they should not be used for finger pointing or blame as people trying to protect themselves may prevent the real causes from coming to the surface leaving your firm exposed yet again.

By considering how to break down your cybersecurity incident response plan into various smaller components, you will be able to easily compose a comprehensive strategy to cover a wide range of incidents. And always have good backups.

Sarah Granger


Sarah Granger has more than 25 years of experience working at the intersection of technology, media and government. She is an award-winning digital media innovator and bestselling author of The Digital Mystique: How the Culture of Connectivity Can Empower Your Life – Online and Off. Her work focuses on issues related to innovation, digital politics, cybersecurity, online privacy, technology accessibility, and open democracy. She is a Fellow at the Truman National Security Project and formerly served as co-chair of their cybersecurity expert group.

“An incident response plan is highly recommended for any sized business…”

When it comes to cybersecurity, anyone can be hacked for a number of reasons — theft of intellectual property, denial of service to cripple the business, interruption to reduce service reliability and boost a competitor, etc…

Any company that has customers or intellectual property should be considered a target.

A solid incident response plan doesn’t need to be an expensive project to develop. As with any kind of emergency response plan, you’ll want to have everything presented for how to react. If you have an earthquake or a tornado or a blackout, you need to know how your company will protect personnel and property. It’s the same way with cybersecurity.

Some of the key components of an incident response plan include:

  • Identifying potential weak points/potential incidents
  • Building resilient networks to protect/prevent intrusion
  • Training and assigning roles to staff for action/reaction in the event of an incident (including incident response teams, if it’s a larger organization), understanding most likely there will be some sort of incident, but the
  • evel of severity could vary
  • Incorporating backup, security procedures
  • Full technical recovery plan
  • Media/PR and customer outreach plan for informing people of the breach if it is made public

Major steps in the process: preparation, detection, analysis, containment, eradication, recovery, and review. Here’s an article I wrote in 2001 about incident response teams that still applies today.

Tracy Williams


Tracy Williams is the CEO and President of Olmstead Williams Communications. Tracy is an award winning expert in business-to-business communication with 25 years of public relations and crisis communications experience. She works with national and international print, broadcast and digital media to secure top-tier placements that help clients meet their business objectives.

“Here are the most important things to remember when it comes to a cybersecurity crisis…”

  • Share company-wide, verbally and in all written materials. Don’t neglect your own employees. Protect your people by empowering them with knowledge. They’re your most important asset.
  • Identify all stakeholders and quickly develop communications strategy for each.
  • Your communications intent should be compassion, honesty, and transparency.
  • If there is a solution to the problem, work toward solving it quickly and as openly as possible. Crises are not resolved immediately, but it’s important to articulate an immediate effort. ‘Scandals’ are born when you try to hide.
  • Break your own bad news. It’s powerful and establishes trust and confidence from stakeholders.

Joshua Crumbaugh


Joshua Crumbaugh is Founding Partner & CEO at PeopleSec.

“When creating an incident response plan there are a number of important considerations…”

1. Who will be in charge during an incident?

2. What parties need to be involved?

3. What is the primary goal when dealing with an incident? (Restore operations or preserve evidence)

4. How will the IR team communicate if internal communications channels have been compromised?

5. What constitutes an incident?

6. How is the organization going to define incident severity levels?

This list goes on and on, but those are a few of the key considerations.

Mike Meikle


Mike Meikle is Partner at secureHIM, a security consulting and education company. secureHIM provides cybersecurity training for clients on topics such as data privacy and how to minimize the risk of data breaches. Mike has worked within the Information Technology and Security fields for over fifteen years. He speaks nationally on Risk Management, Governance and Security topics. He has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also a published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine and The Chicago Tribune. Mike holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.

“The most important considerations for developing a cybersecurity incident response plan include…”

1. Having a viable incident response plan (IRP) is the most important. You would be surprised how many large companies don’t have incident response plan at all.

2. A comprehensive, current communication plan within the IRP. Knowing who to call, when to call them and via the correct communication channel is very critical.

3. Engaging the appropriate level of leadership when the IRP is being developed. Having the CISO or CIO involved in the planning process will add credibility to the IRP.

4. The IRP cannot be a cookie-cutter document. It will have to have options on have to deal with varying levels of data breaches, types of endpoints and infrastructure and severity of the incident.

5. The IRP must be tested to ensure all the components flow correctly and the expected end result is achieved.

Sheila Lindner


As President of Canada’s foremost provider of high quality document management and business process outsourcing solutions, Octacom, Sheila Lindner has helped numerous businesses and enterprises streamline and optimize their administrative efforts for better security and efficiency.

“Technology is advancing at such a quick pace, that it is hard for many business and organizations to keep up…”

Many companies are still focused on trying to efficiently optimize digital integration with their workflows and corporate process. Having concrete digital security systems in place to ward against hackers, malware, and even internal misuse are often overlooked through this “development” phase, leaving their systems vulnerable to cyberattack.

Having automated processes in place for notification and immediate containment measures are integral to your cybersecurity incident response plan. These protocols help ensure that even if the system is hacked, the person or entity will not get further access to the system and the relevant individuals will be notified immediately in order to repair any damage done and remedy the identified weakness(es) in the system. From a more proactive perspective, it is important for companies to understand that these cyber attackers are becoming increasingly sophisticated in their approach, and the digital space is in a constant state of growth and evolution. Because of this, it is of the utmost importance to invest in an expert cyber security team and/or software that will enable a company to stay ahead of new developments to avoid vulnerability and keep their company’s digital assets (and reputation) safe.

Amjed Saffarini


Amjed Saffarini is CEO of CyberVista, a cybersecurity education and workforce development company whose mission is to create a cyber-ready workforce through personalized training programs that provide organizations with the people, knowledge and skills required to defend their most critical assets.

“An enterprise cyber response plan (ECRP) is key to ensuring your organization’s…”

Incident response plan, communication, business continuity management, legal response, human resources and disaster recovery plans work in concert with one another following a major cyber incident. An ECRP acts as a guide that all branches of your organization can use to respond to a breach, in an effort to quickly and efficiently restore operations and remediate any effects of the breach. There are three steps to setting up an effective ECRP: First, assemble a team to ensure the ECRP integrates all other plans and is developed in a cohesive manner; second, etablish the need to designate a lead before a cyber crisis occurs; third, practice and update the plan regularly to ensure the plan works according to design.

Michael Barrio


Michael Barrio serves as Managing Partner and Vice President at Leverage Point, an advocacy and strategic communications consulting firm. He spent several years in Los Angeles, CA, and gained extensive expertise in corporate human resources, organizational development and alignment, and media relations during his tenure at The Walt Disney Co. and Yahoo!, Inc.

“My first piece of advice would be to note that the first hour after a crisis breaks is…”

Crucial to mitigating brand damage. Second, know your state data breach notification laws and compliance guidelines. Then, assemble your crisis team – know who your spokespeople are, outline clear responsibilities, and ensure messaging is consistent and honest. Make sure your front-line defense is equipped to manage and respond, real-time, to public and stakeholder concerns, questions and comments on all of your social and online platforms. If you don’t already have a basic set of general holding statements, develop some – fast. Always include your policy commitments, investigation, candid admissions, and real-time corrective measures being undertaken. Get out in front of the story – get ahead of it. The trick, here, is to know where the reporter will likely go – what she or he will likely ask – and to not just know your facts, but have them distilled into succinct talking points. Don’t lie, and don’t ever say “no comment.” Never ‘stonewall’– keep your publics in the know; it’ll only help you. And finally, fix it. And, if you haven’t already, look into some cyber insurance.

Ben Taylor


Ben Taylor is a writer and IT consultant with two decades of industry experience. He currently heads up the content team for and runs a UK-based IT consultancy.

“A cybersecurity incident response plan needs to encompass four key things…”

Assessing the scope of the incident, containing it, recovering from it, and taking action to prevent a recurrence. Technical attacks can spread through corporate networks like wildfire, so going temporarily into “lock down” is usually a more sensible strategy than trying to keep everything running. Obviously the key thing for all businesses is to quickly ascertain if and how customers are affected by a cybersecurity incident, and take immediate steps to minimize the impact and avoid reputational damage. Sadly, though, as constant security breaches have proven, no company is immune to the actions of determined hackers. Hence the importance of learning from incidents and putting measures in place to reduce the chance of recurrence.

Karla Jobling


Karla Jobling is COO and founder for BeecherMadden. BeecherMadden is a niche recruitment business specializing in corporate governance, resilience & security and niche technology.

“As well as technical requirements and experience, it is important to consider the…”

Crisis plan and communication plan. If an incident requires reporting to a relevant regulator or customers, a good communication policy will be essential. Your CISO must be able to brief the CEO quickly and effectively, so that they are able to minimise the risk of losing customers. Having the right people on the team who have those skills is important and becoming a larger consideration for cyber teams.

John Hodges


John Hodges, VP of Product Strategy at AvePoint, focuses on developing compliance solutions that address modern data privacy, classification and data protection needs for organizations worldwide.

“In developing a cybersecurity incident response plan, companies should consider that…”

In many cases, breaches of personal information are not always the result of a simple email containing personal information – but rather the discovery of existing content that had already been published. In general there are proactive measures that companies should be taking, like just-in-time notifications of policy violations as content is being authored, and as it is being shared. There are also reactive measures to take – or scheduled check-ups that will ensure violations are not recurring simply due to age.

This is truly an important component of successfully implementing a DLP solution because context as well as content is critical. Every organization will have sensitive data within it – whether this data causes an issue is all about the context. Who can access it? Who has accessed it? What have they done with it?

Using compliance software is an extremely important part of keeping your company’s data safe and implementing a plan if your data is ever compromised. Most compliance software allows you to monitor and track violations through tracking reports for review so that your organization can make informed decisions and take action. Having the complete picture of an incident and all relevant activities surrounding it is fundamental. For instance, if sensitive information is posted either to a blog or wiki, an immediate audit can be performed to generate a list of who could have viewed that information.

Frank Limpus


Frank Limpus is principal of Limpus Communications, a Franklin, Tennessee marketing communications firm that helps banks and other businesses prepare against cyber threats and better communicate about themselves. Limpus’ crisis communications consultant certification is from the Institute for Crisis Management.

“From my perspective, one of the most vital considerations is the…”

Communications about the incident.

The likelihood that a company will have to walk through a cyberattack is much greater today. Not only is it important to think through the logistical cybersecurity incident response steps you’ll take to prevent – or react to – an event, but how you’re going to talk about it, both internally and externally. Because word WILL leak out about the situation.

A key part of the planning process should be to proactively develop statements for each and every audience of your company that might be affected by an attack, be it a denial of service, a phishing scam, malware, ransomware, technology service provider problem, whatever.

These audiences will probably include customers, vendors, the general public, stock holders and, especially, employees. Often overlooked in a crisis, employees can become your best advocates during a cyberattack if they know how to respond during the situation.

The more rapidly you seize the opportunity to frame the situation with the appropriate words and images, the more likely you are to control what is said about you, your company and the cyber incident. Remember the public will judge you by what you do and what you say. Don’t overlook the power of social media to monitor any chatter about the incident.

Planning these statements without the pressure of a wildly escalating situation is absolutely the best time to talk – and think – through everything that needs to be said. And gathering the right resources around the table, such as legal, HR, sales and marketing, operations, manufacturing and PR to talk it all through, will help ensure your statements are rock solid. During a crisis it’s so much easier to edit a statement versus compose one.

Planning out your communications also allows you to prepare and gather in advance any resources, tool or technology you’ll need during a crisis. Again, that gives you the ability to be quicker on the draw and get in front of a situation faster, better helping you to control it and not let it control you.

Dr. Christopher Pierson


Dr. Pierson is the Chief Security Officer & General Counsel for Viewpost. As a recognized cybersecurity & privacy expert he serves on the DHS’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee, is a Distinguished Fellow of the Ponemon Institute, and previously was the Chief Privacy Officer for the Royal Bank of Scotland (RBS).

“The most important considerations when developing a cybersecurity response plan are…”

  1. the teams and people chosen to be part of the response teams,
  2. practicing through table top exercises and mock scenarios, and
  3. proper governance.

First, the response team must include representatives across the company, and include security, legal, privacy, PR, HR (if internal breach), technology, and customer success. In addition, the team must include external counsel, outside PR, and forensic experts. Picking the right team is key. Second, the players must all practice mock scenarios ahead of time to make sure they can work together, know who has which role, what decisions they can make and agree or disagree on, and what they might be missing or weak on. Doing so ahead of time will allow for better muscle memory and team success when everyone is stressed from an incident. Finally, the incident response process must be written, approved, and transparent to the key stakeholders in the organization. Each executive must know what the others are doing, why, their roles, and the specific levels of approval or guidance they need to provide. All of this should float up to the highest internal risk committee of the company and the board.

Ben Zilberman


Ben Zilberman is a product marketing manager in Radware’s security team. In this role, Ben works closely with Radware’s Emergency Response Team to raise awareness of high profile and impending attacks. Ben has a diverse experience in network security, including firewalls, threat prevention, web security and DDoS technologies.

“Crisis management is very different from routine cyber security, and therefore requires a different action plan…”

Maintaining a crisis crew of cyber security experts and executives whose skills complement each other is crucial to any incident response plan. The ideal crisis crew is composed of individuals with various expertise to ensure that the incident is analyzed and handled properly and quickly to reduce the overall business impact as much as possible. A crisis crew should include members outside of your own IT or cyber security department and should be experienced with every different solution running in your network.

In addition to establishing a team specifically built to handle emergencies, every stake holder in your organization should understand their role during these types of incidents. Hard copies of your response plan covering procedures, information, and individual roles should be given to each stake holder so they are readily available when an incident does occur.

Incident response should be practiced periodically. Employee turnover and a lack of cyber security expertise outside your IT department can create a knowledge gap for how to handle these scenarios. Practicing responses for these types of emergencies can prepare your organization for when an incident actually does occur and can improve how your business as a whole responds.

Mihai Corbuleac


Mihai Corbuleac is a Senior IT consultant for ComputerSupport, a leading IT support company providing managed IT services across the United States since 2006 and for Unigma, a multi cloud management company.

“We, as an IT Company, elaborate Cybersecurity Incident Response Plans on a regular basis because tech companies, and not only, should have a coordinated approach to respond to such incidents…”

The response plan should definitely include the following: manage the cybersecurity incident in order to limit damages, make sure you collaborate well with the rest of your company and with other organizations, create metrics for measuring the incident response efficiency, prevent more by minimizing human errors, create incident response protocols that will improve your team’s effectiveness. Those are the most important aspects to take care of in case of a cybersecurity incident.

Andrea Roebker


Andrea Roebker is the regional communications director for Region V, which includes Illinois, Indiana, Michigan, Minnesota, Ohio and Wisconsin, of the U.S. Small Business Administration. In this role, she leads public affairs for the six-state region, executing internal and external communication, marketing and alliances, and advocates for America’s small businesses. She further supports the regional administrator and the federal agency’s office of communications and public liaison.

“Small businesses often don’t consider themselves targets for cyberattacks due to their size or the perception that they don’t have anything worth stealing, but this couldn’t be farther from the truth. It is important for them to understand that…”

They have valuable information cybercriminals seek, including employee and customer data, bank account information, access to business finances, and intellectual property. Small business employers also provide access to larger networks such as supply chains, therefore protecting this information against increasing cyber threats is critical. Essentially, cybersecurity must be part of any responsible small business plan and responding appropriately can make all the difference.

As far as considerations, it is important to note that there is no one line of defense for cybersecurity, as the threats are real and there are several tools and tactics to protect the business, customers and data. Not only do you need to take the steps yourself; businesses also need to ensure their service providers are held to equally high security standards to help ensure you can maintain critical business functions should there be a breach and recover.

Another consideration is communication. Many businesses prepare for all the risks but one of the most often forgotten aspects of response is communication. It is key to affecting a small business’ ability to recover and critical for continuity. Again, this all goes into the planning and crisis communication should be part of it. Not only does the business need to consider how it will communicate, it also needs to consider all the different audiences – customers, employees, suppliers, vendors, etc.

Matt McCracken


Matt McCracken is the President/CEO of CMIT Solutions of Houston and has more than 25 years of experience in business technology in a variety of industries. Matt has a business degree from Baylor University with a focus on technology and an MBA from The University of Texas at Dallas. He has spent his career working with business and IT functions in leadership roles.

“Cyber threats are proliferating at a tremendous pace. More than 9,000 new viruses are being instigated per day across the world. That equates to more than 3.2 million per year. Protecting data from loss or theft is increasingly difficult as the threats can enter your network from many different sources. Executives need to be aware that…”

You can no longer secure data with just one or two levels of security. IT must take a multi-tiered approach to make the network and assets of the company as secure as possible within the constraints of the executive’s willingness for risk tolerance and the impact it makes on the daily operations of the business. There must be a balance between security and productivity and where their comfort level is considering those factors.

The IT executive must educate the C-suite executives on:

1) The threats they are facing

2) Where those threats come from

3) The business impact of those threats (from downtime to theft to legal perils of lost private information)

4) The ongoing company perception after a beach is discovered and disclosed to the public

The first thing to do is to either hire or appoint a CSO (Chief Security Officer) or hire an outside firm to conduct a security audit of the company’s systems and network to identify weaknesses that can be addressed immediately. Have them establish a CSIRT (Cyber Security Incident Response Team) made up of key people either inside or outside the current organization.

The CSIRT team must define the incident response policies, procedures and services provided. They need to also create an incident reporting capability; whether this is just a list of who to contact in the event of a cyber breach or more formal reporting is up to the executive team. Of course, they must handle the incident in a timely manner. It is critical to have an incident response plan in place prior to a breach so that there is a defined process to follow. Here is a sample framework:

  • Identify the problem (All end users)
  • Assess if this a security incident (CSIRT)
  • Respond: Identify, contain, and eradicate the incident (Technical Support Staff)
  • Recover: Determine the cause, repair the damage, and restore the systems. (TSS)
  • Report to the proper authorities in accordance with the incident response plan (CSO, TSS, and CSIRT)
  • Review: Investigate the cause, collect evidence, assign blame, and review the overall effectiveness of the response procedures (CSO, TSS, CSIRT)
  • Update policies and procedures (technology) where necessary (CSO, CSIRT)

Before you do any of these, I recommend the following multilayered security defenses be implemented at a minimum.

  1. Anti-virus and Anti-malware that checks for updates multiple times a day.
  2. Verify operating system security patches are installed in a timely manner on all systems once they have been tested with your current software applications.
  3. A layer 7 capable firewall (ask your techs what this means).
  4. Secure all access points to the network. (Wireless router connections, physical access to servers, routers, and switches).
  5. Anti-spam email filter for all incoming and outgoing emails.
  6. DNS monitoring/ filtering.
  7. Training of employees to be aware to not click on email attachments or links if they are even a little bit suspicious. To stop phishing attacks before they happen if they get through the email filters. Also, train them on he social engineering attacks that may come through a call from an outside source pretending to be an IT person or their boss and asks for passwords or banking information.
  8. Hard drive encryption and email encryption are other important areas to address as well.

These are just some of the easier minimum security layers to implement immediately if they are not already in place. Then you can start looking at network design, vlans, dmz’s, honey pots, and many other security protocols that can be implemented.

As you can see there are many things to consider as you develop a strong cyber policy. The tradeoff is cost and convenience, but the goal is to be more secure than the business down the street so that a cybercriminal will target the easy prey rather than the more secure environment and to be prepared for the inevitable cyber event that will occur at some point in a company’s life.

Taher Hamid


As a technology consultant at Alltek Services, Taher Hamid has the opportunity to assist clients in virtually every industry to optimize their technology. Alltek Services holds a strong reputation in the community as a source for information and education. Taher is motivated by keeping businesses safe from the growing threats faced by businesses today.

“There have been a growing number of cyber-attacks in recent years, including some large breaches such as the Yahoo breach that stole the information of 500 million accounts in late 2014. Creating a response plan is vital, but…”

Ensuring that this plan is effective should be a priority on the executive agenda. Creating a plan and just stashing it away is not beneficial. The staff should be highly trained in the response with the ability to isolate components of the network that have been harmed, refer to and implement standard procedures to prevent further harm, and understand the appropriate time to contact the authorities to supplement their investigation.

At the core of every great organization is a striving for excellence in the form of quality assurance and continual improvement. The most important consideration in this aspect is to have a sponsor for your plan. This involves an executive who will be held accountable for creating, refining, training, and communicating to the group the newest security issues and how to mitigate and react to the risk. A cookie cutter approach to an incident response plan will quickly lead to failure in a cyber environment that is changing faster than the world around it.

Nearly every leader in an IT department has developed some form of incident response, but what about the front line staff? Is it the executive that is working so diligently on a client’s systems or another department’s infrastructure? If this is the case, then this mindset will work out just fine. However, in the vast majority of cases, it is the front line staff that will notice a discrepancy in the system. The primary question should be, “Is your staff trained on what to look for?” Cyber-attacks come in many forms, including:

  1. Denial-of-Service Attacks
  2. Malvertising
  3. Phishing
  4. Malware and many others

If the staff is trained on exactly what to look for in each case, the hazard can be identified early and the incident response plan can be that much more effective. However, a cookie cutter approach to your incident response plan will not be effective for long. Therefore, I have identified the key considerations, rather than crafted a plan for your business. If you identify these components early in the development stage of your plan, the other pieces with fall into place as you craft your deliverables.

Considerations for your Incident Response Plan:

  1. Clearly define the roles in the case of a breach: These roles should stay static no matter the magnitude of the breach. Depending on the size of your organization, there may need to be many layers of command. Define these roles BEFORE your plan is crafted.
  2. Create and maintain relationships with external experts: As mentioned before, law enforcement may need to be involved in many incidents. However, it is also critical to partner with a third party breach remediation firm as well.
  3. Develop categories or levels of compromise: It is imperative to have separate procedures in place depending on the form of attack or data being compromised. This stratification will allow proper resource allocation, priority, and impact. DO NOT have the same plan for every category of breach!
  4. Run simulations with your staff and trusted third parties: There are many ways to do this including models, games, and role playing. Organizations often find glaring vulnerabilities in their systems after performing simulations. Recently, United Airlines granted a $300,000 award to an engineering student for identifying vulnerabilities in their system.
  5. Create a culture of safety: This one may be easier said than done, but it is vitally important. Engage the staff and educate them on what to look for, how to respond, and ask for feedback or suggestions. The incident response plan SHOULD NOT be developed with a top down approach.
  6. Creating muscle memory: Although wellness programs are important, I am speaking of a different form of muscle memory. The response needs to be as automatic as the systems we utilize. Building this memory requires training, and a lot of it. Your staff, clients, and company will thank you when the cyber threat is swiftly identified, contained and eliminated.

The considerations above will provide your business with a framework for your cybersecurity incident response plan. The other actionable items of your plan will vary depending on the severity of the breach and the information at stake.

Jason Remillard, CISSP, MBA


Jason Remillard, CISSP, MBA is the Founder and CEO of – a Data Classification and remediation platform. He is also the former VP of CISO Global Security Architecture and Engineering at Deutsche Bank. He has been in the security business for over 25 years.

“You would approach this much like a Business Continuity or Recover Plan (you have those too right?!)…”

The plan should be something that considers the reality of the business – timezones, the players, if/then conditions, when/how to report a breach (to the board and the public/government), what is the remediation plan, who gets involved when and where, what are the escalation paths and so on. Again, modelled after a BCP – it’s a fairly simple process to sketch out. Most importantly in all of this – just like a BCP or DR plan – you must exercise, test and validate the plan. Tools, processes, people and attacks change all of the time, and it’s rare when I see simulations of the scenarios being seriously reviewed and exercised. This is where most planning fails, then it just becomes an ‘all hands on deck’ emergency and becomes more complex than required.

So in summary – build a plan, model it after existing business requirements and capabilities, include third parties when you have gaps in capabilities and test, test, test.

Sanjay Deo, CISSP


Sanjay Deo, CISSP is President and Founder of 24By7Security, Inc., a full service cybersecurity consulting firm based in South Florida. They provide cyber security consulting services to clients in multiple industries in multiple cities and states. Sanjay has hands-on experience of over 20 years in information security and cyber security, starting with a masters’ degree from Texas A&M University in network security and cryptography. Sanjay has worked in different roles, ranging from programmer all to the way to chief information security officer (CISO) and CEO.

“The key considerations in developing a cybersecurity incident response plan are…”

Industry: The industry you are in is important, because in some industries such as healthcare and financial services, regulations mandate the existence and thorough documentation of an incident response plan.

Number of locations: Whether the business a multi-location or single location business will impact the content and controls in an incident response plan.

What you are trying to protect: The kind of data you are trying to protect and the impact of its loss or compromise is perhaps the most important consideration of developing a cybersecurity incident response plan. For instance, are you protecting intellectual property, Personally Identifiable Information (PII), Protected Health Information (PHI), internal operating documents, etc.?

The process of developing the incident response plan also includes testing it. One way of verifying the strength of an incident response plan is to engage in what are called table top exercises or conference room pilots. A simulation of an attack is done by gathering IT teams, line of business managers, and other stakeholders to test situations where a cyber incident happens to see how each party will react and what they will do to address the issue. Roles and responsibilities need to be defined along with clear communication channels.

An example of where we have conducted table top exercises is with a large financial institution where we simulated scenarios such as distributed denial of service (DDOS) attacks, ransomware infections, and compromise of firewalls. We are also working with a Fortune 500 global fashion and retail company to test similar scenarios most relevant to that industry.

In our role, we often come in not only at the planning stage for an incident response plan but also in the invocation of the plan after the occurrence of an incident. We have seen our incident response plans activated due to various incidents such as stolen and lost devices, private information sent out by email by an employee, or an internal disruption of data or access rights by disgruntled employees. The devil is in the details – the procedures outlined in any incident response plan should be detailed enough and flexible enough to accommodate different incidents or attacks causing the loss being addressed.

Andrew Dalglish


Andrew Dalglish is a Director at Circle Research.

“In a recent survey of 100 CIOs, business-to-business (B2B) market research company Circle Research asked them to name the most important measures an organization can build into its cyber-security planning. They gave businesses looking to develop a cyber-security incident response plan six tips…”

1. Train staff to avoid internal breaches, e.g. falling for phising emails (cited by 47% of those surveyed)

2. Have clear security duties within your organisation – make sure everyone knows their responsibilities (32%)

3. Train IT staff in how to detect incidents (30%)

4. Auditing 3rd parties’ cybersecurity, e.g. suppliers (22%)

5. Use white hat hackers (22%)

6. Encourage whistleblowing (11%)

Cody Cornell


Cody Cornell is Founder and CEO of Swimlane, a developer of cyber security automation solutions. The company’s Swimlane platform centralizes an organization’s security operations activities, automates incident resolution, and integrates with threat intelligence. A respected authority on cyber security, Cody Cornell is responsible for the strategic direction of Swimlane and the development of its security operations management platform. Cody is a frequent presenter on information security at forums such as the Secret Service Electronic Crimes Task Force, the DHS Security Subcommittee on Privacy, and National Public Radio (NPR).

“The most important considerations in developing a cybersecurity incident response plan are…”

Automation should be the key consideration for developing a cybersecurity incident response plan. Automating security operations allows organizations to continue to leverage their own internal processes. These manual processes were traditionally modeled in process flow diagrams and stored in physical binders, ticketing systems or spreadsheets. With an automated incident response solution, a security team can quickly resolve security alerts, capture key performance metrics, generate insightful real-time dashboards and rapidly deploy proactive security protections.

Organizations spend billions annually on measures to combat threats. Despite that, a void exists in the cyber security landscape. Threat detection is no longer where breakdowns typically occur. Instead, security lapses happen because businesses don’t have access to solutions that bring incidents to a swift close.

Hundreds or thousands of threat alerts occur 24/7. Between the flood of threats and amount of tools needed to detect them, it’s become nearly impossible for security personnel to thoroughly address each event. When incidents go unresolved, threats slip through the cracks and the current system becomes unsustainable. Our advice to CISOs to avert a potential security meltdown is to automate incident response. With this tactic you:

  • Bring all security alerts and issues from other security tools into one location.
  • Provide additional information about events detected using all your existing tools and data sources.
  • Correlate the cases with threat intelligence.
  • Rapidly and automatically resolve the less complex, repetitive, manually-intensive tasks that eat up the majority of security personnel’s time.

These are just some of the critical functions that automating cybersecurity incident response can provide.

This online article from:
Digital Guardian
by Nate Lord