How to Assemble a Cybersecurity Incident Response Team

July 25, 2019 in Cyber Attacks

A cybersecurity incident response plan is the best way to ensure your business is ready to, well, respond to a successful cyberattack. The most effective plans delegate specific responsibilities to individual team members so that when a hacker strikes, everyone knows his or her next steps.

When building your response plan, the first question you should ask is: “Who should be on the cybersecurity incident response team?”

Determine which staff members can not only identify systems, services, or products compromised in the incident, but also disable them at a moment’s notice to halt further damage. Don’t forget about your team members in PR and marketing, either. They should be on the team because you’re required to broadcast the incident to outside partners and customers.

Unfortunately, most small businesses don’t have the in-house technical expertise needed to fully remedy attacks. For that reason, you need access to third-party security professionals who can help you work through an incident. These professionals can fill specialized cybersecurity roles and responsibilities while your team addresses the immediate concerns of your business and your customers.

Delegating Internal Cybersecurity Roles and Responsibilities

So it’s imperative to position executives at the top of your incident response chain of command so they can oversee the execution of the plan.

From there, key personnel should contain the attack within their spheres of expertise. Product and service specialists, for example, should know the necessary steps for shutting down any processes that may spread damage. Those in charge of legal, marketing, and communications will also need to know when and how to communicate with necessary parties, such as employees, customers, suppliers, and the media.

The plan should also outline key players who can perform forensic work on the system and who have access to data logs in order to assess the damage. However, some small businesses may need to outsource these tasks to experts. In that case, the plan should clearly outline that management is to contact a predetermined third-party cybersecurity resource as soon as possible.

The exact makeup of a cybersecurity incident response team will be different based on the size and responsibilities of each individual company. In every case, however, management should lead the execution and ensure clear communication among all parties.

Keeping Open Lines of Communication After a Cybersecurity Incident

Given the dynamic nature of cybersecurity incident response management, there’s no single way to keep everyone coordinated. Regardless of what form your company’s communication strategy takes, however, you need to ensure you have multiple backup plans. If you only have one method for communication and it becomes unavailable, you will be unable to coordinate among staff.

For example, in May 2019, a ransomware attack basically shut down the city of Baltimore when government email and 21 city agencies were disabled by hackers. Because city officials had no backup communication channel, it became difficult to contain the attack internally. Even communication channels with residents, such as text alert systems, were compromised. All in all, the attack cost the city more than $18 million. Had there been an alternative channel for communication, officials likely would’ve been able to remedy the problem faster and save the city some money.

As you’re outlining cybersecurity team responsibilities, make sure everyone knows how to contact one another and securely exchange information — even if the primary channels fail. You should also establish a communication chain of command so people know who to contact if certain members of the team are unresponsive.

The No. 1 Rule for a Cybersecurity Response Team

While you should clearly outline the members of your cybersecurity incident response team and their individual duties, that doesn’t mean the plan is written in stone. Cyberattacks are evolving every day, so your team’s response plan must also evolve.

The most important thing you can do to ensure your plan and team stay effective is to test both regularly. Hold periodic cybersecurity drills with the incident response team, and have members work through several different attack scenarios. Walk through each step of the plan, making sure everyone understands his or her duties. Use these opportunities to look for hidden obstacles and oversights, and encourage team members to imagine as many contingencies as they can.

The scenarios may be hypothetical, but the experience is hands-on. So when an attack does occur, the team will operate on instinct and spring into action.

There’s no way to guarantee your business and your customers are completely safe from cyberattacks, but preparation is your greatest ally. Keep internal stress and chaos to a minimum after a cyberattack by having a solid plan that clearly outlines who does what and allows for efficient communication.

Monique Becenti is a product and channel marketing specialist at SiteLock, a cloud-based website security provider currently protecting more than 12 million websites globally. Monique is passionate about improving the customer experience for all. SiteLock’s combination of dedicated research and developmental efforts, aggressive product road maps, and access to a massive global data set make the company a leading innovator in web security.

Latest Articles
Follow SiteLock