Incident Planning and Response

While in the past companies may have been judged for suffering a breach, today it is accepted that cybersecurity breaches do occur and that those organizations that suffer a breach are a victim of a crime. As such, many will not negatively judge an organization should it fall victim to a crime but they will judge the organization on how it responds to the incident.

Therefore it is important for SMEs to accept that at some stage they may suffer a cybersecurity breach and it is important to have a formalized incident response plan in place, as without such a plan the response to a cybersecurity incident will most likely be ad hoc and unplanned which often results in prolonged recovery times, lack of evidence for a criminal or civil case and other negative impacts.

SMEs should develop a formal incident response plan, which contains clear guidelines, roles and responsibilities documented to ensure that all security incidents are responded to in a professional and appropriate manner. This policy should include details of how electronic evidence should be preserved, gathered and handled and the responsibilities for same.

Standard Operating Procedures to respond to incidents of different types should also be developed to include;

• The actions to be taken if multiple machines are infected with a computer virus.
• Under what conditions, and whose authority, network segments are shut down.
• Under what conditions, and whose authority, internet connectivity is disabled.
• How computer virus infections are identified and removed.
• Who liaises with the press, key stakeholders and public in the event of a serious incident
• How to liaise with clients and partners, law enforcement, the Data Protection Supervisory Authority, or other regulators.