ANS Blog

The Case for Building a Cyber Incident Response Plan

January 26, 2018 in Cybersecurity

The Case for Building a Cyber Incident Response Plan

A strong defense is critical to fighting the battle against cybercrime. But having a plan to deal with a cyber incident—should one occur—is equally as important. Why? Because when it comes to preventing a cyber-attack, there is no such thing as guaranteed protection. That’s right, there is no “silver bullet.”  We live and do business in a world marked by increasing cyber-attacks, and all new rules. Beyond the increase in frequency of attacks, we also face an increase in the types of organizations that have become targets. As you can see, from the onslaught of daily news reports, no organization—even ones with the best defended networks—are immune.

A quick and effective response to a cybersecurity event can go a long way when it comes to minimizing the financial damage and most importantly, protecting your organization and its reputation.  In short, how you plan and respond to security incidents can make the difference between a “crisis” and an “event.”

Having a cybersecurity incident response plan builds on your overall information security program by establishing a set of response tactics and tools to ensure that when an attack does happen, you have the people, processes, and technologies in place to respond effectively.

In the event of an attack, time is of the essence, and being able to respond to both the attack itself and the people impacted are key strategies for mitigating the damage in cost and reputation to your organization.  

While each organization should always have a cybersecurity incident response plan tailored to their specific business operations and industry requirements, a response plan should include these general components:


  1. Management support and buy-in.
  2. A designated incident response team made up of staff from all functional departments.


  1. Identification of all critical IT resources (systems, applications, data, IT services), who needs access, and where they reside.
  2. A plan that defines how critical systems and data files will be backed up or made redundant
  3. A plan describing how critical systems and services will be restored
  4. A plan that defines how data files and applications will be restored
  5. A relationship with qualified cybersecurity vendors who may be required to assist in remediation and restoration


  1. A communications plan that helps you talk to your staff.
  2. A communications plan that addresses how external communications (customers, vendors, media, etc.) will be handled.


  1. A clear definition of what constitutes a cyber incident.
  2. Processes and procedures that are in-line with, and support, your organization’s overall business continuity plan.
  3. A clearly defined protocol for how a response will be handled (action steps) and who is responsible for each required task.
  4. Having cyber-liability policy in place for your own organization.
  5. The incorporation of cyber-risk/cyber-liability insurance and liability language in contracts with outsourced service providers.
  6. A method and schedule to practice your incident response plan.

When it comes to cyberthreats, the only things that are really certain are the increased probability of becoming a victim of cybercrime, and the exponential rise in bad actors capable of successfully attacking even the most reputable, well defended organizations. This makes an extremely strong case for every organization to develop its own incident response plan, along with a solid defense strategy, more important than ever. Start yours today.