Adding Resiliency to Incident Response Plans

Cybersecurity breaches have become a common occurrence, with the potential to cause significant financial and reputational damage to businesses across all industries. Financial services is one of the most frequently targeted industries by threat actors, so it’s essential for credit unions to have a solid incident response (IR) plan in place to mitigate the impact of a breach. It’s important to understand how building resiliency into IR plans can help ensure effective, efficient and consistent action to address an incident.

The Cybersecurity and Infrastructure Security Agency (CISA) defines an IR plan as, “A written document, formally approved by the senior leadership team, that helps your organization before, during and after a confirmed or suspected security incident.”  Another definition describes it as “… a documented set of procedures designed to guide an organization’s response to a cybersecurity incident. It outlines the steps to be taken in the event of a security breach, including how to detect, analyze, contain, eradicate and recover from the incident. The plan typically includes roles and responsibilities, communication protocols, escalation procedures, and a framework for evaluating and improving the response process.” Both of these definitions are on point, but a simpler, more easily understood and equally correct definition is “a documented process that is in place as a reference to guide you through steps for responding to a major incident(s) in your organization. IR plans are important because they provide for consistent and uninterrupted actions during an incident. This helps to enable rapid and precise responses in the most high-stress situations and aids continuity in recovery.

When resiliency in IR plans is discussed, it refers to the ability of a plan to adjust easily to change and remain relevant. The plans should be applicable when we need them and useful when leveraged during an incident. This sounds simple enough, but there are countless times where, as a cybersecurity professional, I have encountered situations where there is no plan in place, or the plan will cause more harm than good.  There are several ways to add resiliency to your IR plan, but these two tips can greatly help the plan stay relevant over time. While these recommendations seem simple and practically common sense, a large number of credit unions often fail to get them right.

1. Know the Location of Your IR Plan

Everyone involved should know where and how to locate the most up to date copy of the plan. Not only should everyone know, but they should have a hard, up to date copy of the plan within arm’s reach at all times. Set reminders to send out copies or links to plans when they are updated or just quarterly at a minimum. This might sound like common sense, but I have seen too many times to count, team members deferring to other team members to locate a copy of the plan or where it is stored. I’ve heard, “We have one somewhere,” “Alan or whoever knows where it is,” or my favorite, “Yeah, we have one, but I can’t remember where it’s at.” You can’t improve the resilience of a plan if no one knows where it is.

2. Test and Train on the IR Plan Regularly

At a minimum, this should be done four times a year. I have emphasized in all content and presentations that you will play and respond like you practice. If the IR plan is tested only once a year, and everyone struggles and fumbles through the response during that testing, it’s likely that you’ll encounter similar stumbling blocks during a real incident. Consider how military personnel, law enforcement officers and first responders continually train to be ready for any situation they might face in their careers. When those critical moments arise, they approach them with confidence, efficiency and expertise. The same principle applies to incident response in your credit union. Given the rapid pace of technological innovation and the constant threat from malicious actors, thorough preparation and regular practice are essential for being successful when issues and situations arise. According to IBM’s “2023 Cost of a Data Breach Report,” there were three factors that ranked most effective as cost mitigators, and IR planning and testing were in the top three. In their findings, IBM listed the average cost of a breach currently at $4.45 million and according to their reporting, “There was a difference of USD $1.49 million or 34.1% between high levels and little to no IR planning and testing.” Breach resolution time, according to some reports, saw an average reduction of 48-54 days with high-level use of IR testing and training.

It is crucial to incorporate resiliency into your IR plans to ensure their effectiveness and consistency. By doing so, plans become better equipped to handle the ever-changing threat landscape and responders are better prepared to take action when needed. Remember, even the most well-designed plans can falter in the face of unexpected challenges. Therefore, it is always a good idea to regularly review and update your plans to ensure they remain relevant and effective. By incorporating resiliency into your plan, it becomes adaptable to changing threat landscapes, and responders gain confidence and preparedness when it’s time to act.

James Bruhl is Director of Cyber Threat Intelligence for the Alpharetta, Ga.-based cybersecurity company DefenseStorm.