A Quick Guide to Incident Response Planning

Given today’s security landscape, it’s more important than ever that businesses have a plan in place to respond to major cyber threats. These threats are becoming more and more sophisticated, leaving businesses less and less equipped to handle them. To even stand a chance against a security incident, your clients need an incident response plan—and it’s your job as an MSP to help them solidify this plan.

Author: Continuum’s Lily Teplow
Author: Continuum's Lily Teplow

What Is an Incident Response Plan?

An incident response plan is a detailed document that helps organizations respond to and recover from potential—and, in some cases, inevitable—security incidents. Ultimately, this plan should outline specific instructions that help detect, respond to and limit the effects of a cyber security incident.

While the types of incidents may vary—ranging from data breaches, denial-of-service attacks, firewall breaches, viruses, malware and insider threats—a solid incident response plan will help ensure any situation is handled quickly, efficiently, and with minimal damage.

Components of an Incident Response Plan

When building an incident response plan for your clients, focus on the following core components:

1. Identification

There are two elements you need to identify here: first, whether the event is actually a security incident; and second, who needs to be on your incident response team and what the individual roles and responsibilities are.

It’s important to first identify what type of incident is occurring and its potential impact on the business. The steps and communication processes that follow the identification stage can differ based on the type of incident at play. When something is amiss or a threat is discovered, be sure to record the date and time and immediately activate the internal and/or outside response teams based on the threat type and severity. For example, minor breaches can be left to the discretion of the response team lead, while larger threats may require consultation with the full response team and across offices.

2. Containment

Next comes springing into action to contain the incident, limit its current damage, and isolate any affected systems to prevent further damage. This is best done by finding the incident's cause and removing affected systems from the environment.

Quick Tip: Directly after the infection is detected, disconnect from the network and stop backing data up immediately. This will stop the malicious software from overwriting clean backups with infected files.

3. Recovery

Once the threat is mitigated, you can allow affected systems back into the environment and ensure no threat remains.

Quick Tip: If there’s a backup and disaster recovery (BDR) solution in place, restore from the most recent, clean backup to restore uptime.

Also, be sure to document the incident and analyze how it happened so the team can learn from it and improve response efforts in the future.

In any case, an incident response plan should contain these core components, but the plan can be expanded upon and customized to each clients' needs. At a minimum, incorporating these steps will ensure your clients have a course of action in place for better protection from and response to today’s cyber threats.

Bonus – Grab This: Are you looking for a more in-depth incident response template with examples and key planning strategies to reduce your business’ cyber security risk level and proactively minimize damage? Download Continuum’s full guide here.

Lily Teplow is content marketing manager at Continuum, which automates security services for MSPs. Read more Continuum blogs here.