If there’s one thing I’ve learned from working in cybersecurity, it’s that security incidents do not simply occur, they are caused — either by legitimate users who unintentionally expose company data or malicious actors who seek to breach enterprise systems undetected. Unfortunately, it is much easier for attackers to identify exploitable vulnerabilities than it is for security teams to fix every flaw in the company’s network.

While it would seem the odds are insurmountably stacked against cyberdefenders, there is at least one element of an effective incident response program that even the most ingenious attackers cannot take away from security teams: preparedness and thorough planning.

Why the Time to Contain a Breach Matters

One of the most important metrics in incident response is the time its takes to respond to and contain a security event. According to the “2018 Cost of a Data Breach Study,” the costs associated with a breach were 25 percent lower for organizations that managed to contain the incident within 30 days. That’s a difference of more than $1 million when you consider the overall average cost of a breach, which is particularly concerning since the average time between detection and containment is 69 days.

This so-called mean time to contain (MTTC) depends on the organization’s level of preparedness to rapidly switch into emergency response mode and execute the right tasks in the right order — all under the intense pressure and confusion that invariably arises from a crisis situation. That’s why MTTC is a crucial metric in any emergency response plan template.

6 Steps to Strengthen Your Incident Response Plan

Companies with a mature security posture don’t just take a proactive approach to mitigating threats, they also train their employees on what to do in a worst-case scenario and how to implement a break-glass policy within their organizations. This requires security leaders to continuously review their plans for gaps and inefficiencies and adjust them accordingly to thoroughly understand the impact of a potential breach from a remediation perspective.

Below are six key steps organizations can take to step beyond proactive measures and prepare to respond in a worst-case scenario.

1. Get Management Support

An incident response plan does not just apply to IT and security. You will need cooperation and resources from people outside the security organization, including legal, human resources and other departments.

2. Know Your Risks

To develop your incident response plan, you must understand the kind of events you are addressing and their potential impact to your organization. The loss and exposure of data is one example that is critical to virtually all companies, and not just since the General Data Protection Regulation (GDPR) took effect. Other risks to consider include production outages, flawed products and third-party breaches. Security leaders should work closely with risk officers to identify the threats with the greatest potential business impact.

3. Define Roles and Responsibilities

It takes a lot of hard work from a variety of people and business functions to identify, contain and eradicate an incident. Roles must be clear in advance, and everyone must know his or her responsibility in the event of a security incident.

Typically, this is where a predefined group of response specialists, known as a computer security incident response team (CSIRT), steps in. In addition to security experts, this team should include representatives from management as well as other business units.

4. Determine Communication Channels

In case of emergency, it’s critical to define the relevant communication channels. Communication channels must be open at all times, even if the normal channels are compromised or temporarily unavailable. It’s also important to establish guidelines for what details should be communicated to IT, senior management, relevant departments, affected customers and the public.

5. Rules of Engagement

A lot can go wrong during incident response activities. Valuable information can be destroyed through recklessness and thoughtlessness or, worse, by an attacker who is just waiting to exploit poor user behaviors. Therefore, incident response steps should follow a clear structure and methodology, such as the SANS Institute’s six-step incident response framework and other publicly available resources that can be adapted to fit an organization’s unique needs.

6. Train the Plan

The worst thing you can do is wait until a crisis occurs to execute your incident response process for the first time. Tabletop exercises and run books are always beneficial, but it is most critical to regularly drill the response flow and strive to improve its results in every subsequent drill. It’s also helpful for team members to join discussion groups and share successful practices with other teams to sharpen incident response plans and reduce the potential damage from an impending attack.

The Benefits Outweigh the Costs

While a break-glass policy can add more layers of protection in the event of a breach, it also adds to the workload of your already overwhelmed staff. That’s why many organizations are hesitant to step forward. But the benefits of containing the damage within a short period of time outweigh the value of this investment by far. By adapting a tried-and-true emergency response plan template to your organization’s incident response needs and business goals, you will be in a much better position to minimize the damage associated with a data breach.

More from Incident Response

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…