Welcome to Part 5 in our Developing an SMB Cybersecurity Plan series for National Cybersecurity Awareness Month.

SMBs should prepare a cybersecurity response plan before an incident occurs to ensure they're ready to respond in the most effective and efficient manner possible. Google “Creating a security response plan” and the number of results returned is overwhelming. It’s enough to make an SMB shy away from even attempting to create a plan that outlines how they respond to security incidents. The problem with that is that if your SMB does experience a cybersecurity incident, without a response plan, you’re reactively trying to stop the attack and deal with the damage in an unorganized, disjointed way. The result is usually a less than effective response which leaves the business open to the same attack again in the future.

An effective cybersecurity response plan is similar to a disaster recovery and business continuity plan, but has a risk-specific focus to help your company respond to different types of cybersecurity incidents in appropriate ways. For example, SMBs respond differently to phishing attacks than they do to distributed denial of service (DDoS) attacks or insider data theft.

Framework for a Security Response Plan

Security response plans are detailed documents that outline all the steps to be taken in the event a security incident occurs. They require an understanding of the key assets and threats that your organization faces. A comprehensive understanding of your existing IT environment is essential to creating an appropriate response plan. That’s why the first few steps of creating a cybersecurity plan are essential. You must first assess your current landscape and determine the threats your SMB faces as well as what is your tolerance for those threats. Once you have that in place, then you can move on to policies and tools, and then how you will respond when a threat becomes and incident.

In putting together a security response plan, it helps to have a framework, such as the one offered by the National Institute of Standards and Technology (NIST). This Computer Security Incident Handling Guide is a thorough outline for what should be included in your own security response plan. However, it’s not sufficient to have this document, companies must also take the time to customize the guide their specific business. Every business handles different data, and every business has a different tolerance for risk. It’s vital that your security response plan align with your business objectives and culture.

Elements of a Response Plan

Once you know what you’re protecting and what you’re protecting it against, then you can outline how you’ll respond if a security incident happens. Here’s a quick list of the activities that should be included in that response plan:

  • Evaluate scenarios for each possible incident that can occur. For example, the way you respond to a ransomware threat will be different from the response for virus, worm, or DDoS attack. Examine every situation in which a threat can become an incident then outline the response to that incident. Responses should include:
    • Outside resources needed, if any. These resources could be forensic experts, HR experts, or even operations and public relationship specialists who can help you respond to an incident and scale resources to aid in that response.
    • Checklists for appropriate and effective response actions for each type of incident. This includes recording the time and date of the incident, how the incident is handled, what interviews were conducted to gain critical knowledge of the incident, records of that knowledge, and steps taken to quarantine and secure affected machines.
    • A trackable list of legal obligations that result from the incident, including how those will be handled and by whom.
  • Create a dedicated response team and outline the responsibilities that fall to each team member. Team members can include security managers, CIOs or CISOs, IT managers, and legal counsel. Each team member should have a clearly defined role, and when an incident occurs those roles should be automatically activated.
  • Define legal obligations and develop steps to meet those obligations. What is required by law is determined by several factors, including the industry your SMB operates in and the types of data the company collects and stores. Prior to an incident, know what your legal responsibilities are so you can track required tasks, time frames for completions, and any reporting deadlines associated with each specific type of security incident.

Review, Test, and Train

This broad list of activities just touches the surface of the details you’ll need to plan for and record to create a security response plan. And once the response plan is complete, you can’t just put it on a shelf and leave it until something happens. The plan should be reviewed and updated on a regular basis to deal with new and emerging threats. In addition, there are two more important steps to remember once the plan is complete:

  1. Test your response plan. It does no good to have a plan that is insufficient or flawed. The best time to find out that you’re missing something or that the plan won’t work as outlined is before an incident. Schedule testing regularly and each time the plan is changed.
  2. Train often and thoroughly. The key people who are required to execute your security response plan should know what their responsibilities are and how to meet those responsibilities in a quick, efficient manner. The best way to ensure that everyone knows what to do if an incident occurs is to conduct regular training on the process that include mock security incidents and responses.

A security response plan is your assurance that when an incident happens—and it will—your SMB is prepared to respond efficiently and appropriately. Take the time to create a detailed response plan that includes responses to specific types of incidents, that outlines roles and responsibilities, and that defines the legal obligations that you must meet. Then review, update, and test the response plan often, and train all involved team members so they know how to respond when an incident occurs. Then when your SMB becomes a target for cybercriminals, you’ll know your response will reduce the depth of damage experienced from the attack.