Establish an Incident Management Plan
An incident management plan outlines processes for your business to deal with a cyber security breach, including what constitutes a breach and who should be contacted if one occurs.
Why is it important?
Being able to identify and address a cyber security issue quickly is critical in managing and containing the situation. This way you can minimise impacts and get back to business as soon as possible.
Unfortunately, we cannot predict when a cyber breach will occur and what exactly it might involve. The nature of online threats is constantly evolving, so even if your business already has robust cyber security systems and processes in place, a breach involving your network platforms or a member of your team could still occur.
In the worst case scenario, failure to deal with an incident quickly could lead to major and continued disruption of your business' operations or even a breach of legal requirements.
What you can do, however, is ensure that your business is as prepared as possible so that any incident can be managed as quickly as possible and impacts minimise.
What Does it Involve and Where Do I Start?
The image at the top of this page outlines the key areas you should focus on.
Prepare & Prevent
Preparation and prevention are your most effective tools in managing a cyber security incident. Firstly, assess the Cyber Security of your business and Develop a Cyber Security Policy for your Business.
You should also:
- Set out the roles and responsibilities for dealing with cyber incidents, including an incident database, communication channels and reporting forms.
-
Check out our Emergency Incident Checklist - it's a helpful list of questions to ask after an incident to help shape your response. But it will help you prepare the processes you need in place to response quickly to an incident
Monitor & Detect
Monitor and identify any unusual activity or events that may compromise the integrity of your business' information and systems. This may involve taking steps to protect your business against topical new threats.
Unusual activity or events may include:
- Alerts and reports about potential malicious activity or vulnerabilities. This can include alerts from Intrusion Detection System software or reports from your technology or network provider.
- The theft, loss or breach of a device, including personal mobiles that staff use to access work emails. Staff may feel uncomfortable about reporting such incidents so it's important to encourage people to speak up proactively.
- External events and publicised or high-profile cyber security incidents, both overseas and in New Zealand. Read media reports and ask whether your business could be impacted - don't assume you are immune.
- General day-to-day indicators, such as unusual email activity, incident reports, or being informed by staff or customers that a breach has already occurred.
It's essential that details of any incident or potential breach in your company's cyber security are properly recorded and documented, so it can be moved on to the Triage process for further investigation and resolution.
Triage
The Triage process is a critical decision point in any incident management. It involves collecting all available information on an incident to determine the scope of the incident, its impact and what assets are affected.
Step 1: Categorise the incident - how severe is it and what are the potential impacts?
Step 2: Prioritise - does this require an urgent escalation or can it be easily resolved?
Step 3: Assignment - Who is responsible for managing and resolving the incident, and by when?
Respond
This involves taking actions to resolve or mitigate an incident by analysing, coordinating, and distributing information. This is likely to involve more than just a technical response; management, communications and legal responses may also be required simultaneously. Co-ordination and information sharing is important.
- The technical response can include analysing the incident, advising on or planning a resolution, co-ordinating actions internally and externally, containing any on-going malicious activity, repairing or recovering any affected systems, generating postmortem analysis reports, and performing incident closure. Advice from your technology/service provider or accredited IT security consultant may be required.
- Management Response focuses on activities such as notifying staff and/or affected customers of a breach and advising of steps taken to resolve the situation, approving courses of action and other communications.
- Legal response includes actions associated with an incident that could have legal or regulatory implications, such as those that involve privacy issues, non-disclosure, copyright, and other legal matters. If the incident involves fraud or cyber-crime, you should report the incident to the police.
Check out our Emergency Incident Checklist - it's a helpful list of questions to ask after an incident to help shape your response.
Resolve & Review
Once an incident has been resolved, make sure you understand the cause. Review your company's systems and processes to ensure you've done all you can to minimise the risk of a similar event occurring again. Also take the time to review how the incident was managed - is there anything that your incident response team could have done better?