How to build a cybersecurity incident response plan

When it comes to corporate cyber incidents, there's no debating the facts: attacks are more sophisticated, frequent, widespread, and costly than ever.

In 2015, cybercrime cost companies $3 trillion. By 2021, that number is expected to double. At that point, cybercrime will become the most profitable criminal enterprise in the world.

Smart business leaders understand a cyberattack isn't a possibility— it's an inevitability. And yet, even in a climate of awareness about the threats posed by cybercrime, businesses aren't doing enough to prepare for these incidents.

Having a well-protected corporate infrastructure with the requisite safeguards is vital — and not just in technology but in the people and processes, too. What happens when attackers breach these defenses? How do companies handle an incident and its fallout? When every second counts, previous preparation increases the speed at which organizations can respond, avoiding hastily made decisions because the pros and cons already have been weighed. Preparation also cuts through the paralysis that can come with such an event.

Mistakes to Avoid 

Given the sheer volume of breaches that have hit enterprises of all sizes and industries, it's easy to find notable examples of less-than-stellar corporate responses. Case in point: Equifax. After the credit monitoring firm experienced the largest cyber attack to date, it wasn't the breach itself that drove headlines; it was the company's disorganized and problematic response, which began by directing potential victims to a bug-ridden site and continued with the company repeatedly tweeting out phishing links after the breach had occurred. 

Here are a few of Equifax's mistakes from which we can learn.

• Too much time spent in denial. Once an incident is detected, every second counts. Yet too many enterprises fall into the denial trap, where they either overlook anomalous activity or downplay the magnitude of the activity once discovered. This state of denial almost always backfires by fracturing customer and employee trust — and losing precious time — as it did in Equifax's case.
• Unstructured chain of command. Getting hacked can be a source of embarrassment for enterprises. But companies that project competence, organization, and control in the wake of an attack can positively affect its future. The blunders described above in Equifax's case pointed to a lack of structure within the enterprise.
• Lack of foresight. Alongside an absence of a chain of command comes a lack of foresight, which can manifest in companies acting too hastily, overcorrecting, or implementing "fixes" that create new problems. No, you cannot predict the future or the decisions that will need to be made. But you can agree ahead of time on the process for making those decisions and who is going to make them. When you do this, you minimize the influence of emotion and personality differences that can derail a cyber response in an instant.

Learn how to build a cybersecurity incident response plan in Dark Reading.