Top Tips for Incident Response Planning

Reading Time: 3 minutes


Alannah Carey Bates | Senior Cyber-risk and Data Protection Advisor

Date: 23 October 2023

October is Cyber Security Month and it’s a good time to reflect on your organisation’s preparedness for responding to a serious incident such as a cyber-attack. Preparing for an incident is money well spent. Having well tested plans will ensure your response to an incident is more efficient and effective than it may otherwise have been. This can ultimately reduce the impact of a cyber incident in terms of financial, regulatory, and reputational damage. As well as being a key control measure in many cybersecurity frameworks such as National Institute of Standards and Technology (NIST), incident response planning may also be a requirement for your organisation depending on your sector.  

The European Commission’s recently expanded Network and Information Security Directive (NIS2), has broadened the application of the Directive to include new sectors and entities in order to gain a high common level of cybersecurity across the EU. The Directive includes incident response measures. In Ireland, the Public Sector Cyber Security Baseline Standards have been introduced to bring Public Service Bodies up to a minimum acceptable standard of cybersecurity. Having a Cyber Incident Response Plan which staff have had training and practise in, is a readiness measure outlined in the Standards. In this article we provide top tips for testing your response plans.  


Four Tips for Incident Preparedness 

The first tip is to ensure your response plan is up to date and sufficiently detailed. Periodic reviews will ensure it stays relevant, as many factors can contribute to a plan becoming out of date and no longer fit for purpose. For example, business operations change frequently, whether its technological changes such as moving from on-premise to the cloud, or even physical changes where operations may move from one location to another. We recommend at least an annual review but ideally updates should be anticipated and made when operations change and evolve.  

The second tip is to ensure the right people are involved in a response to an incident – this will make all the difference. Whether the plan is an incident response plan, a business continuity plan or a crisis communications plan, having the right people involved is essential for speedy, informed and authoritative decision making. Carefully consider roles and responsibilities when drafting plans. A well written plan will ensure that each member of the team has clear responsibilities outlined. Don’t forget to include a deputy for each of the essential roles and ensure they too have been trained and have participated in practise exercises.  

The third tip is to have resources prepared in advance. This could range from secure communication channels to template documents. One issue that organisations sometimes face in the throes of an incident, is that when systems become unavailable, they no longer have access to their plans. This could be as a result of a system intentionally being taken offline by the IT team or indeed where an attack renders data encrypted. Having offline and/or paper copies of essential resources such as plans, contact lists and templates will be of great value if systems are inaccessible. Templates for documenting the incident response will also be useful to allow decisions and instructions to be clearly communicated. Having draft communication templates ready to go will also be very important. Communication templates may include drafts for particular scenarios to inform stakeholders such as the media, the Board, Regulators or staff. Carefully considered communications are important to ensure stakeholders are adequately informed without causing wider repercussions or unnecessary alarm. 

Our last tip is to practise….practise…..practise. Fire drills are a well-established exercise, so why not practise your organisation’s response to a cyber incident or major data breach? This type of exercise will draw out gaps in your plans and highlight where additional content may be needed to address certain issues. An exercise will allow the response team to become familiar with what is being asked of them, which is very important in what is likely to be an extremely pressurised environment. Allowing the response team the opportunity to make the wrong decision in a test environment could be the difference between a well-executed response and a poor response in the event of a real incident. Inevitably, a plan that has been practised will speed up the response which may significantly reduce the impact of an incident. 

In short, planning is an essential element of ensuring a successful incident response. A well-considered plan that has been sufficiently tested can be an extremely valuable asset to an organisation and can significantly reduce the extent of damage caused by an incident. Trilateral’s Data Protection and Cyber-Risk Team has extensive experience advising and assisting organisations, of all sizes and sectors, in drafting Incident Response Plans, Crisis Management Plans, Business Continuity Plans and Disaster Recovery Plans. Furthermore, we are able to design and facilitate simulations to test these plans.  For more information, please contact our advisors to discuss your requirements. Our team would be happy to help. 

Related posts

Let's discuss your career