Blog

How You Create a Cyber Incident Response Plan

The image shows documents on digital waves with one in a lifebuoy, representing data protection and cyber attack recovery.

Sometimes called a cyber security disaster recovery plan, a cyber incident plan provides guidelines that help your team know how they should prepare for, respond to, and recover from a cyber attack. As you guard your company against ever-evolving cyber threats, you should know how to create and implement a cyber incident response plan.

7 Steps for Building a Cyber Incident Response Plan

If you’re interested in creating a cyber incident response plan, you’ll need to establish a team, identify cyber security risks, take action to back up your data, and implement various protocols designed to reduce the risks of a successful cyber attack. Instead of being caught off guard by a cyber attack and losing critical data, follow these seven steps for creating a cyber attack plan below:

1. Choose a Leader for Your Cyber Incident Response Plan

Your cyber incident response plan is only as strong as the people who put it into action. Begin by identifying someone who can “own” the plan. This Incident Commander will oversee and manage the entire plan. 

This cyber incident response plan owner should understand cyber security best practices while also being organized and able to coordinate with multiple team members from different departments. Since a cyber attack recovery plan will need to be maintained and updated, this team member should have enough time on their schedule to regularly review and update the plan.

2. Create a Cyber Incident Response Team

Once you’ve identified your Incident Commander, you’ll need to find specialists who can help with various aspects of your cyber attack recovery plan. Typically, you should include representatives from each of your company’s departments, as they may be affected by a cyber attack differently and could need to take other steps to get their department running again. 

After you’ve identified representatives and key staff members, document what tools and data the teams will need to use during and after a cyber attack. Next, state who will be responsible for various tasks, such as alerting your company to a cyber risk, removing malware, or restoring lost data from a backup.

3. List Potential Cyber Security Risks

Once you’ve determined who’s running your cyber incident response plan, it’s time to begin anticipating the main cyber security threats to your company. During this step, gather your team and have them list the main cyber threats facing your organization. Common cyber threats include ransomware, other forms of malware, social engineering attempts, and employee error. Your team should also discuss how these varying risks will impact your systems and data if they occur.

With the main threats established, your team should run a risk assessment to determine where you’re most vulnerable. This assessment might uncover your vulnerability to ransomware or could reveal your team hasn’t been trained well enough to spot phishing schemes. After you identify your most vulnerable points and what cyber-attacks you’re most at risk of facing, your team can take action to strengthen vulnerabilities and prevent the attacks from succeeding. Additionally, your team should implement monitoring technology that can immediately alert them to a cyber attack.

4. Determine Your Most Important Technology, Hardware, and Data

If a cyber attack is successful at your company, you’ll likely need to shut down while your team removes any malicious malware from your system. However, once the threat has been neutralized, your team will have to decide on what data should be recovered and what hardware to bring back online first. As a result, it’s important to know what systems and data your team absolutely needs to perform their work.

Creating a recovery time objective (RTO) pairs nicely with this step, as this objective establishes how long your operations can be down following a disaster. After establishing your RTO, your team will know what important systems, hardware, and data they should focus on restoring first and the time frame they’ll have to complete the restoration process. Additionally, you’ll want to determine who’s responsible for restoring downed systems or recovering lost data.

5. Implement a Reliable, Automatic Backup Plan

During a cyber attack, bad actors often try to steal data or hold it for ransom. Some attacks can also result in significant data loss, where you can’t recover lost data from affected endpoint devices (e.g., computers, tablets, etc), servers, and networks. Due to the risk of data loss, organizations should implement the 3-2-1 backup rule, which states that companies should keep three copies of data on two different media types, with one of the copies stored off-site.

Usually, businesses will want to back up their data every fifteen to thirty minutes, as this reduces the risk that critical data is lost during an attack and can’t be recovered. While picking a provider, you should also check that the solution allows you to automatically back up data, as manual backups can be forgotten. 

Additionally, the automatic backups shouldn’t affect system resources to a point that causes normal operations to slow down, and the provider should be able to restore the most important data quickly.

6. Put Together a Communication Plan

If a cyber attack occurs in your organization, your employees should know who they should alert first and what steps they should take. Besides accounting for communications during normal office hours, you’ll want to identify who should be contacted during off-hours and how this communication will happen. The communication plan should likely focus on getting information to members of your cyber attack team first, as they’ll be better prepared to neutralize the attack and begin the recovery process.

You’ll also need to lay out when and if company stakeholders, customers, vendor partners, and media outlets should be alerted to a cyber attack. The communication plan should cover expectations for how these groups should be contacted and what information should be shared. It’s also best practice to establish protocols for storing contact information and updating it when needed.

7. Train for Cyber Attacks and Refresh Your Cyber Incident Response Plan When Needed

With all the steps above completed, it’s time for your team to practice for cyber attacks. Running regular drills for mock cyber attacks and seeing how well your team performs their duties will help you spot any remaining weak spots and better prepare your team for a real cyber attack. Typically, tabletop exercises are good training exercises, as your team will get together and explain how they’ll respond to and recover from various cyberattack scenarios. If you find weaknesses, update your plan to account for them.

How CrashPlan’s Disaster Recovery Solutions Can Help Your Cyber Incident Response Plan

At CrashPlan, we’re dedicated to giving organizations the endpoint data backup solutions they need to safely back up their data and have it ready to recover following a cyber attack. With CrashPlan in your corner, our disaster and ransomware recovery solutions can back up your data every fifteen minutes without significantly impacting system resources. We also guard your data at rest and in transit with leading security practices and tools. When you need to restore lost data, you can prioritize what data to restore first and quickly recover it from our cloud.

Learn more about our disaster recovery solutions today. If you want to see how CrashPlan can make it easy to back up your data and recover it following a disaster, please sign up for our free trial.