5 Steps to Building a Foolproof Cybersecurity Incident Response Plan

No matter what industry you’re in, there’s a good chance that you conduct a lot of your business online. Most modern small businesses have one or more digital properties, including a website and various social media pages. Your website may or may not be your chief sales portal, but it’s usually the first place prospective customers go to learn about your brand, making it a vital asset.

For this reason, cybersecurity should be a top priority, especially for small businesses. Websites experience multiple attacks per day, so it’s safe to assume your site will be targeted eventually. And if you’re not prepared, the damage can be severe. In fact, 60% of small businesses will shutter operations post-attack due to the staggering cost of recovery. It sounds like hyperbole — until you consider that every minute of downtime can cost a business $427 in lost revenue.

Small businesses also face unique challenges in cybersecurity. Most simply don’t have the resources to employ a dedicated cybersecurity team or invest in comprehensive security awareness training, leaving employees more vulnerable to phishing attacks and other scams.

Although enlisting the help of a third-party cybersecurity partner and installing automated cybersecurity tools can help, there’s never a guarantee that your business will be completely safe from cyberattacks. That means you need to have a plan for responding to attacks that break through even the most secure defenses.

In this post, we’ll offer a guide to developing a cybersecurity and risk mitigation plan for small businesses. The harsh reality is that it’s only a matter of time before you find yourself dealing with a serious cybersecurity breach — if you haven’t already. Make sure you’re prepared to act quickly and respond confidently when that time comes.

What Is an Incident Response Plan?

Security starts with preparation. In the aftermath of a cyberattack, you don’t want your employees scrambling to communicate, cover losses, and get the attack under control. You want them to follow a comprehensive, pre-established plan that you know will get the business back on track in no time. This kind of plan is called a cybersecurity incident response plan, and every small business should have one.

This plan encapsulates the roles and responsibilities of preselected members of an incident response team. It outlines the key steps and procedures this team should follow when a significant cybersecurity incident occurs. And it covers a chain of command and describes how communication will flow from key staff members to other employees, customers, and even the public.

Virtually all companies that collect data or payments from customers hold sensitive information. As a trusted business, it’s your responsibility to keep that information as secure as possible. Having a comprehensive, highly actionable cybersecurity incident response plan will help ensure you’re prepared to preserve customer information before, during, and after an attack.

Delegating Responsibilities in Your Incident Response Plan

The roles, responsibilities, and chain of command outlined in an incident response plan will depend on the company and its structure. Generally, the person at the top of the ladder should be someone who’s familiar with both the internal makeup of the company and its various systems and processes. For small businesses, this is often the owner or general manager, and he or she should be responsible for overseeing the execution of the plan.

From there, you should identify specific members of the incident response team — each of whom should be an expert on a particular product, service, or system. Teammates will oversee incident response plan steps that pertain to their particular areas of expertise. The plan should include how to shut down each of these aspects of your business if it becomes necessary in order to prevent spreading damage.

You should also involve those in the legal, marketing, and communications operations of your business. The plan should outline when and how these individuals should communicate with external parties, such as customers, suppliers, and the media. However, communication with external parties should not begin until internal team members have clearly outlined the size and scope of an attack.

This means the incident response plan needs to also include key players responsible for assessing the damage by doing forensic work on the system and data logs. Because many small businesses don’t have technical cybersecurity experts on staff, these responsibilities are usually best outsourced to a third-party cybersecurity partner. The incident response plan should outline who should contact the external experts and when.

Outlining Threat Assessment

Along with clearly outlining all key players’ roles and responsibilities, your incident response plan should account for any potential threats and vulnerabilities within your network. These could include relatively minor attacks such as website defacements or more severe breaches that lead to a loss of customer and employee information.

At a minimum, you should have detailed steps in the incident response plan for addressing the following types of cybersecurity threats:

• Website Malware: Many people think of malware as viruses and worms that compromise data and files on a particular computer and those in its network. As a small business owner, however, you should also be concerned with website malware, which is equally pervasive. Cybercriminals use automated bots to detect weaknesses or misconfiguration in the underlying code of your website, allowing attackers to gain control over the site and sometimes the hosting server.

Most attackers use website malware as a method for stealing sensitive customer information directly from the website database. While some malware attacks such as website defacements can be relatively harmless, others can cause your site to be suspended or blacklisted by search engines, which can result in a large reduction of traffic and have a significant impact on your business’s bottom line.

• Phishing: Phishing attacks aren’t new, but they’ve become even easier for cybercriminals to execute. In fact, one survey found that 83% of professionals working in information security experienced a phishing attack last year. Your employees probably receive phishing emails regularly, which represents a major threat to your network security.

These ostensibly harmless emails trick recipients into releasing authentication credentials or personal or financial information. Some contain malicious links or attachments that collect sensitive information when clicked. With the right training, however, your employees can learn to recognize these scam emails before opening them.

• SQL Injection Vulnerabilities: SQL injection vulnerabilities are weaknesses in the website’s code that are exploited through input fields. On the front end, they look like forms where a user might enter authentication credentials. Cybercriminals will often find these forms and inject them with malicious code that makes its way into a website’s database. Once cybercriminals have access to the database, they can flood your site with spam posts, steal customer data, and, in some cases, bypass authentication points to take complete control of the site.

• Cross-Site Scripting: Cybercriminals can use cross-site scripting to target your website’s visitors, rather than the site itself, by injecting scripts through unsanitized input fields. This is often JavaScript code. The scripts are then executed in the visitor’s browser. Attackers exploit the fact that browsers can’t distinguish between injected script and native code. This allows them to hijack user web sessions, spam visitors with malicious content, and steal session information.

Incident Response Plan Steps to Mitigate Damage

Thoroughly documenting various cybersecurity threats facing your business is an important part of building a response plan, but it’s even more important to describe the steps employees can take to quickly identify and address those threats. The sooner an attack is spotted, the quicker your incident response team can mitigate the damage.

Any list of incident response steps should include the following areas. (This list should be used as the basic points of a cybersecurity incident response checklist.)

1. Identify. Pinpoint the symptoms of an attack. Alert the incident response team to begin taking action.

2. Discover. The individual overseeing website maintenance should communicate the damage to your small business’s web developer. After you’ve identified the breach, alert any other third parties that need to be in the know (e.g., a payment processing vendor).

3. Remediate and restore. Depending on the type of attack, you’ll need to clean your site and fix or restore files. As a rule, you should always keep a clean backup of your website’s files and database stored offline.

4. Review. Evaluate your security posture and identify vulnerabilities that can and should be strengthened. Discuss these with your web developer or cybersecurity provider to help you develop an adequate solution.

5. Implement. At a minimum, your defenses should include a web application firewall to prevent any malicious bots from attacking your site. Add an additional layer of security by implementing an automated website scanner to detect and remove malware. Look for a scanner that also automatically patches outdated security vulnerabilities, making it difficult for attackers to breach your front lines of defense.

As a best practice, always have a backup solution in place in the event the attack corrupts the website files or database. If you’ve already experienced one attack, failing to install these basic defenses leaves you extremely vulnerable to another.

Communicating Externally After a Cyberattack

No cybersecurity incident response plan is complete without a guide to addressing post-attack communications. Your ability to bounce back from an attack largely depends on how you communicate in the immediate aftermath.

When it comes to external communication — with customers, suppliers, other partners, or the media — you may want to delegate a spokesperson to communicate on your company’s behalf. If you don’t have a PR or communications team, this person should be the owner.

The way you tell your story is just as important as the story itself. Be completely honest, and show how you’re working to prevent similar incidents from happening again. Of course, no matter how much you invest in security, a subsequent attack is still possible. However, it will make a huge difference if you can tell customers you did everything you could to protect their data, rather than having to admit you were caught flat-footed. Oftentimes, business owners are victimized just as much as customers, and it’s OK to let customers know that you’re suffering alongside them.

Another thing to think about: Should you report the incident to local law enforcement? If your small business’s website holds local customers’ sensitive data, it’s likely that there will be an increased threat for identity theft in your area. Most police teams will have an idea of how to respond efficiently at the local level.

Communicating Internally After a Cyberattack

Internal communication should be peppered throughout every step of the cybersecurity incident response plan. The best way to communicate among staff after an attack will depend on the size and structure of your business, but one step remains consistent across all types of businesses: Have multiple backup channels.

An attack could compromise your communication channels, so you absolutely don’t want to rely on any one channel. You need to be able to coordinate incident response among employees to ensure the incident response plan steps are followed exactly.

The steps should outline the hierarchy of response channels, noting where to turn if the main communication method becomes unavailable. Also, be sure to outline a chain of command for communication so people know where they can direct questions should their immediate support become unavailable.

Keeping Your Cybersecurity Incident Response Plan Updated

Finally, your incident response plan should outline post-mortem steps: follow-up meetings with key team members to discuss how the incident was handled, what went according to plan, and what kind of unexpected challenges appeared. Use this information to update your incident response plan for a more streamlined response in the future.

Remember, the incident response plan should never be a stagnant document. After all, the cybersecurity landscape is always changing with new technological advancements — so your response plan should change, too. Hold quarterly cybersecurity drills to test the response plan in various situations, updating it based on any identified weaknesses. Updating the plan on a rolling basis will ensure that your business is truly prepared to bounce back from an attack.

A cyberattack can put enormous pressure on your business, and an effective response often requires a significant investment of time and capital. However, if you have a solid cybersecurity incident response plan in place before an attack occurs, you’ll be better positioned to use those resources as efficiently as possible.

Outline potential threats, determine roles and responsibilities, list out clear mitigation steps, and have a plan for communication. This will give your business the best chance at minimizing damage and saving your reputation.

Monique Becenti is a product and channel marketing specialist at SiteLock, a cloud-based website security provider currently protecting more than 12 million websites globally. Monique is passionate about improving the customer experience for all. SiteLock’s combination of dedicated research and developmental efforts, aggressive product road maps, and access to a massive global data set make the company a leading innovator in web security.