How To Develop an Incident Response Plan for Your Business

In the Government’s annual security breach survey, it became apparent that only 21% of businesses and 16% of charities have a formal incident response plan.

This is shockingly low in today's digital era, where businesses need to be prepared to act when a cyber incident occurs. 

What is an Incident Response Plan?

It is a document that sets out the plan for a business when dealing with and rectifying the work of a reported cyber security incident. With cyber attacks on the rise and businesses becoming more aware of the threats, having a plan in place to prepare for a cyber incident, informing employees of what to do if a cyber attack is underway, and how to manage the aftermath is important. 

Creating an incident response (IR) plan is an excellent way to educate all members of your business of the most accurate guidance, information, and details of key IT team members to contact if there is any concern or reports of malicious cyber activity coming from both within and outside the business. No matter the size of your business. 

The Framework of an Incident Response Plan

To develop a comprehensive incident response plan that covers all details your team will need to know, the NCSC recommends that every basic IR plan should include the following: 

Key contacts - this will feature the contact details of all relevant personnel within the organisation that need to be contacted in the event of a cyber security incident. These personnel will usually include the head of IT or the IT team lead, HR, Legal, Senior Management team, PR, and your insurance provider. 

The NCSC makes a good point to include more than one team member from each department to ensure that at least one will be available at all times. This list should of course be regularly reviewed and updated to remain in accordance with the current staff list. 

Escalation criteria - Your escalation criteria refers to the decision-making process. In which you determine the severity of the reported incident. Determining the severity of the incident will allow the relevant teams to prioritise accordingly. Any high or critical level of incident must always go to senior management, ensuring they are aware of the potential impact this could have on the business. 

Core response (the incident response cycle) - Your core response plan could be laid out as a flow chart or diagram to demonstrate to your employees exactly what steps should be taken when responding to an incident. These steps should include how to analyse what is happening, contain or mitigate the incident, remediate or eradicate the cyber security incident, and how to recover. 

If all steps are followed and the incident is correctly resolved, the process can be reviewed and closed down. If the process did not provide enough information or teams felt unsupported it would then be the perfect time to improve and update the IR plan. 

Guidance on legal requirements and regulations - Your IR plan must also feature information regarding legal requirements and regulations. Particularly those concerning data. There will be particular incidents where you will be legally required to contact HR or engage with external legal support and advice in regards to what to do next. Here, the ICO shares when the incident needs to be reported. 

How Cyber Security Experts Help You Plan Ahead

For businesses that have limited knowledge or understanding of cyber security, working with a cyber security service provider may help as they have the knowledge, accreditations and hands on experience in this area. Their teams will be able to offer cyber security consultancy services, taking into account your organisation’s cyber security posture and risk exposure. Whilst, offering their advice and suggesting solutions for a professional incident response plan that is detailed and focused on improving the awareness and know-how of your team towards cyber security.