If there’s one thing I’ve learned from working in cybersecurity, it’s that security incidents do not simply occur, they are caused — either by legitimate users who unintentionally expose company data or malicious actors who seek to breach enterprise systems undetected. Unfortunately, it is much easier for attackers to identify exploitable vulnerabilities than it is for security teams to fix every flaw in the company’s network.

While it would seem the odds are insurmountably stacked against cyberdefenders, there is at least one element of an effective incident response program that even the most ingenious attackers cannot take away from security teams: preparedness and thorough planning.

Why the Time to Contain a Breach Matters

One of the most important metrics in incident response is the time its takes to respond to and contain a security event. According to the “2018 Cost of a Data Breach Study,” the costs associated with a breach were 25 percent lower for organizations that managed to contain the incident within 30 days. That’s a difference of more than $1 million when you consider the overall average cost of a breach, which is particularly concerning since the average time between detection and containment is 69 days.

This so-called mean time to contain (MTTC) depends on the organization’s level of preparedness to rapidly switch into emergency response mode and execute the right tasks in the right order — all under the intense pressure and confusion that invariably arises from a crisis situation. That’s why MTTC is a crucial metric in any emergency response plan template.

6 Steps to Strengthen Your Incident Response Plan

Companies with a mature security posture don’t just take a proactive approach to mitigating threats, they also train their employees on what to do in a worst-case scenario and how to implement a break-glass policy within their organizations. This requires security leaders to continuously review their plans for gaps and inefficiencies and adjust them accordingly to thoroughly understand the impact of a potential breach from a remediation perspective.

Below are six key steps organizations can take to step beyond proactive measures and prepare to respond in a worst-case scenario.

1. Get Management Support

An incident response plan does not just apply to IT and security. You will need cooperation and resources from people outside the security organization, including legal, human resources and other departments.

2. Know Your Risks

To develop your incident response plan, you must understand the kind of events you are addressing and their potential impact to your organization. The loss and exposure of data is one example that is critical to virtually all companies, and not just since the General Data Protection Regulation (GDPR) took effect. Other risks to consider include production outages, flawed products and third-party breaches. Security leaders should work closely with risk officers to identify the threats with the greatest potential business impact.

3. Define Roles and Responsibilities

It takes a lot of hard work from a variety of people and business functions to identify, contain and eradicate an incident. Roles must be clear in advance, and everyone must know his or her responsibility in the event of a security incident.

Typically, this is where a predefined group of response specialists, known as a computer security incident response team (CSIRT), steps in. In addition to security experts, this team should include representatives from management as well as other business units.

4. Determine Communication Channels

In case of emergency, it’s critical to define the relevant communication channels. Communication channels must be open at all times, even if the normal channels are compromised or temporarily unavailable. It’s also important to establish guidelines for what details should be communicated to IT, senior management, relevant departments, affected customers and the public.

5. Rules of Engagement

A lot can go wrong during incident response activities. Valuable information can be destroyed through recklessness and thoughtlessness or, worse, by an attacker who is just waiting to exploit poor user behaviors. Therefore, incident response steps should follow a clear structure and methodology, such as the SANS Institute’s six-step incident response framework and other publicly available resources that can be adapted to fit an organization’s unique needs.

6. Train the Plan

The worst thing you can do is wait until a crisis occurs to execute your incident response process for the first time. Tabletop exercises and run books are always beneficial, but it is most critical to regularly drill the response flow and strive to improve its results in every subsequent drill. It’s also helpful for team members to join discussion groups and share successful practices with other teams to sharpen incident response plans and reduce the potential damage from an impending attack.

The Benefits Outweigh the Costs

While a break-glass policy can add more layers of protection in the event of a breach, it also adds to the workload of your already overwhelmed staff. That’s why many organizations are hesitant to step forward. But the benefits of containing the damage within a short period of time outweigh the value of this investment by far. By adapting a tried-and-true emergency response plan template to your organization’s incident response needs and business goals, you will be in a much better position to minimize the damage associated with a data breach.

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…