Six steps for cyberattack incident response planning

Developing a strong cyberattack incident response plan requires a thorough examination of everything from building a response team to actually testing out the plan and ensuring it works.

By Velta Technology May 20, 2021

How a company responds to an incident is important. The wrong response could damage the company’s reputation or destroy it altogether. A proactive and timely response to an incident can result in great press and new customers, since they know that you value your customers and take digital safety seriously.

Many companies take an attitude of “Nothing bad is going to happen,” so they never plan for what might happen. Many times management assumes that if something does go wrong, everyone will know what to do. How many companies do you think had a large-scale remote worker plan in place before March of 2020? Creating incident response plans is not difficult, but it does take time and should involve people from all levels of the organization. This is not just an information technology (IT) issue or responsibility. Some of the possible scenarios for incident response plans are:

  • Partial or complete loss of office space
  • Malware attack with no data breach
  • Data breach
  • Theft of equipment.

These are just a few of the possible incidents that it is wise to put plans together to handle when they occur. When creating a plan and putting it into action, the following are six steps to follow:

  1. Prepare
  2. Build a response team
  3. Outline response requirements and resolution times
  4. Establish a disaster recovery strategy
  5. Test the plan
  6. Review lessons learned

1. Prepare

The first phase of building an incident response plan is to define, analyze, identify, and prepare. How will your organization define an incident? Next, analyze the company’s environment and determine which departments and individuals are the most critical to maintaining operations in the event of the incident you’ve defined. Also identify what information should be gathered during and after the incident. When you understand the various layers and nuances of importance to your organization, you will be better suited to prepare a response plan so that you can quickly recover. This process should involve people from the C-suite to the janitorial staff.

Treat the preparation phase as a risk assessment. Be realistic about the potential weak points within the company. A realistic potential for failure needs to be addressed. By performing this assessment early on, you will ensure everything is protected and be able to allocate the necessary resources for response, including staff and equipment.

2. Build a response team

Now it’s time to assemble a response team including a group of specialists both within and outside your organization. This team comprises the key people who will work to mitigate the immediate issues concerning an incident you identified in step one and respond to any consequences that spiral out of such an incident.

3. Outline response requirements and resolution times

From the team you assembled in step two, each member will play a role in detecting, responding, mitigating damage, and resolving the incident within a set time frame. These response and resolution times may vary depending on the type of incident and its level of severity. Regardless, you will want to establish these time frames up front to ensure everyone is on the same page.

Ask the following questions:

  • What will we need short term and long term to solve the issue?
  • How long can the company afford to be out of commission in this area?

The answers to these questions will help you outline the specific requirements and time frame required to respond to and resolve an incident.

If you want to take this a step further, you can create quick response guides that outline the team’s required actions and associated response times. Document what steps need to be taken to correct the damage and to restore operations in a timely manner. These guides should exist both electronically and physically in binders.

4. Establish a disaster recovery strategy

This is when the incident response team works to return everything back to normal or establish a “new normal.”

  • Who needs to be notified of the incident?
  • What steps need to be taken to return to normal operations?
  • What licenses or equipment needs to be ordered/purchased?

A reliable, well thought out recovery plan can maximize the organization’s chances of surviving an incident. Planning the incident response can ensure a quick and optimal recovery point, while allowing you to troubleshoot issues and prevent them from occurring again.

5. Test the plan

Once you have completed the first four steps of building an incident response plan, it’s vital that you test it. Put your team through a tabletop exercise where you practice and test the plan. When your exercise kicks off, your communications tree should go into effect starting with notifying the PR, legal, executive leadership, and other teams that are included in the incident in play. As it progresses, the incident response manager will make periodic reports to the entire group of stakeholders to establish how you will notify your customers, regulators, partners, and law enforcement; if necessary. It is important that the incident response team take this seriously because it will help you identify what works and which areas need improvement to optimize your plan in the event of a real life incident scenario.

6. Review lessons learned

After the incident is over and things are back to normal, whatever that normal may be, it is time to do a ‘Lessons Learned’ review. During a real incident this step should focus on dealing with the aftermath and identifying areas for continuous improvement. Take this opportunity for your team to tackle items such as filling out an incident report, completing a gap analysis with the full team, and keeping tabs on post-incident activity.

No company wants to go through an incident, but it’s essential to plan for one. With these six steps, your organization will be well-equipped to face disaster, handle it when it happens, and learn all that you can to adapt for the future.

– This article originally appeared on Velta Technology’s blog. Velta Technology is a CFE Media content partner.

Original content can be found at