6.9 min to readDigital Workplace

How to respond to a breach with an impactful incident response plan

Ravi Bindra
Ravi BindraCISO
A woman's finger is pointing at a colorful screen.

With data becoming increasingly central to business operations, organizations need to do everything in their power to prevent data breaches and security incidents. After all, if a malicious actor manages to access sensitive data, the organization will be exposed to untold financial and reputational risk.

Many articles and blogs focus on how to ensure an attack never happens through a series of proactive risk mitigation tactics. However, there’s an unspoken caveat to all of this advice: Even if your organization has the strongest security measures, there is no such thing as total protection from security incidents.

In the event of a security incident, your business needs a concrete response plan – and that response plan can’t be made on the fly. Establishing an incident response plan enables your organization to assign responsibility and put processes in place before an incident or breach happens, allowing you to combat and minimize the impact of the event right away.

In the world of cyber security, it’s best to prepare for the worst. Let’s examine some best practices to build an effective incident response plan that reduces risk and enables cyber resilience.

The current state of data incidents & security breaches

Breaches and security incidents are unfortunately common in our technology-reliant business environment. In fact, Risk Based Security reports that over 36 billion records were exposed globally in 2020 due to data breaches. It is often difficult to truly grasp the full depth and breadth of the current threat landscape, especially with large-scale data breaches becoming passé.

However, not all data incidents are data breaches. Let’s explore the differences in more detail:

  • Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset. This could include social engineering attacks, web application attacks, or any variety of potential threats that haven’t caused tangible harm – yet.
  • Breach: An incident that results in the confirmed disclosure - not just potential exposure - of data to an unauthorized party. These include social engineering attacks, basic web application attacks, system intrusions, privilege misuse, and user errors.

In other words, cyber criminals may not always steal information, but they can still have a negative impact on your organization. Additionally, neglecting to respond to an incident in a timely manner can quickly become a breach. For example, if you notice a vulnerability in your website’s API, a malicious actor may be preparing to launch an attack – and it’s time to act quickly to avoid serious ramifications.

The cost of a data breach

The direct costs of a data breach might be hard to calculate. While your organization might experience direct costs, like paying a ransom to regain access to your data, you also need to consider indirect expenses, like labor costs associated with crisis management.

According to the 2020 Cost of a Data Breach Report:

  • The average total cost of a data breach is $3.86 million.
  • The average cost of breaches arising from cloud misconfigurations is $4.41 million.
  • Companies that established and tested incident response teams only suffered an average of $2 million in losses.

In other words, this validates the financial value of creating and testing an incident response program and team.

Creating an incident response plan

Creating an incident response plan can save your organization money by creating a set of well-defined processes for your cyber security team to follow as soon as they discover an incident. These processes reduce the time it takes the team to identify, research, contain, and extract a threat actor from systems, networks, and applications. Defining and rehearsing a response plan will identify gaps which can be remediated prior to a real incident.

The faster your organization can confront and neutralize a security incident, the better you’ll be able to handle a potential breach down the line. Therefore, it’s crucial to proactively form a comprehensive response plan. When you’re working on a response plan of your own, here are six steps that should be included.

1. Preparation

The preparation stage of incident response involves identifying and categorizing high-risk data, applications, users, networks, systems, and devices. Additionally, your organization should review current threat intelligence and the current contextual business risk to create the most likely data breach scenarios.

2. Identification

This step focuses on understanding normal behavior within an environment rather than setting alerts when abnormal behavior occurs. For example, a credential theft attack alert might be based on the number of times someone tries to log in to an account but fails.

One of the most difficult parts of the identification process is setting alerts correctly. If the abnormal behavior is defined too broadly, your security team may spend too much time on false alerts – or, start ignoring alerts entirely. On the other hand, defining alerts too narrowly can lead to them missing suspicious or risky activity.

3. Containment

This step is the process of isolating the threat and preventing the threat actor from moving within your networks and systems. In the short term, it might mean isolating a network segment or shutting down a system. In the long term, it might mean deleting accounts or applying a security patch.

4. Eradication

Eradication is removing anything that the malicious actor used as part of the attack. For example, this can mean safely removing malware or infected files that were part of the attack.

5. Recovery

During this stage, the incident response team returns the impacted networks, systems, accounts, and applications to their “pre-attack” state. This can mean recovering them to a previous backup point as well as validating systems to ensure the vulnerability attackers used is fixed.

6. Lessons learned

Possibly the most important part of the incident response process, the lessons learned stage is the post-recovery discussion that helps determine what worked, what did not work, and what can be improved for the future. This crucial step will help you create an increasingly powerful and lasting response plan.

Best practices for your incident response plan

Creating an incident response plan can feel difficult. However, following a few best practices to create a robust plan will help you start off on the right foot. Let’s take a closer look.

Do not reinvent the wheel

Just like data breaches are nothing new, neither are incident response plans. Organizations like the National Institute of Standards and Technology provide some basic best practices for establishing an incident response plan. Or, visiting online forums where security teams congregate can help you catch wind of interesting, specific best practices. This will help you create a solid foundation for your own unique plan.

Identify the data that’s most important

Not all data is equal - your incident response plan must prioritize sensitive data first. Start by consulting with multiple teams in your organization regarding their most crucial data assets. For example, documents containing intellectual property or highly sensitive customer data should be a top priority. Once you’ve agreed on what constitutes sensitive data, apply a risk rating for all types of data. This will help you prioritize assets to protect in case of an emergency.

Make the plan easy to implement

Everyone must know their role and responsibilities in the response plan and have the skills and tools necessary to fulfill them. If your employees aren’t quite ready for the new responsibility, consider consulting a third party to keep your data as safe as possible.

Final thoughts

Ensuring your organization has top-notch cyber security processes can be a never-ending endurance race. Threats are always evolving, and keeping pace requires plenty of time, energy, and money – and this is doubly true if your organization is affected by an incident or breach.

Many organizations would prefer if their IT team could focus on innovating their approach to cybersecurity rather than spending time and resources on investigations and response activities. Thankfully, there is a new solution among SoftwareOne’s Managed Security Services that can help: the Cyber Incident Response service.

We’ll work closely with your team to build a response plan, monitor your network, and protect your business from security threats as they arise. Meanwhile, your IT and cyber security teams can focus on larger projects to protect the entire network, while the rest of the organization can conduct business as usual. With the Cyber Incident Response service, you’ll be taking the proactive action necessary to prevent costly downtime, improve productivity, and leave your customers satisfied.


Ravi Bindra

Ravi Bindra

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.