Three Ways to Improve Your Security Incident Response Plan

Whether you’re recovering from a recent cyberattack or planning ahead to prevent a future one, having an effective cybersecurity incident response plan in place is key to quickly responding and containing security incidents.

The most important element of a security incident response plan is the human element. Effective, clear and timely communications are essential elements for ensuring that incident response is swift and appropriate.

Ready to set your organization’s incident response plan in motion? Here are three important action items to incorporate into your strategy.

1. Know Your Organization; Know Your Leadership

It seems simple enough, but many organizations are highly complex in their overall structure. The average employee may not fully understand the big picture—especially if you work in an organization encompassing multiple entities. Ensuring in advance that all employees know or have access to resources which indicate, in the simplest terms, who to go to for what and where to find those people and resources is critical in planning your response strategy for potential security breaches.

Confusion over reporting structures can be easily prevented in advance. If confusion occurs about who to alert first after the security incident is discovered, the amount of time it takes to respond will increase—which could ultimately delay the containing of the incident and mitigation, said Lee Kim, JD, CISSP, CIPP/US, FHIMSS; director of privacy and security at HIMSS. “For example, a security incident is, in itself, technical in nature and a privacy officer may not be able to understand the technical nature of the incident. Thus, if a security incident is reported to a privacy officer, there may be a delay in reporting the incident to the correct individual due to a lack of understanding of what has happened.”

It is essential to know the chain of command, including who to report to if there is a security incident. This includes the correct point of contact in the IT security, legal and communications departments. Responding to a security incident is indeed a cross-disciplinary effort which requires careful coordination among several departments within an organization.

In addition to having written procedures on who to contact in case a security incident occurs, it may be helpful, too, to have visual diagrams about who to contact and under what circumstances. Your organization’s communications team, too, plays a vital role in security incident response, including external facing communications and internal communications to employees (especially if the discovered incident has a wide impact on users and/or in such cases where employees have a need to know).

Allyson Vicars, a consultant with The Advisory Board Company's Health Care IT Advisor program, talks with HIMSS TV about how to make healthcare cybersecurity a priority for your C-suite.

2. Engage With Your Legal Team

Whether investigating a newly discovered incident or a potential breach, your organization’s legal team—whether in-house, outside counsel, or both—should be involved each step of the way, said Kim. “The legal team should be at the center of all activities to help triage and manage them. For example, an organization’s leadership may wish to report the security incident to governmental entities. The legal team can ensure that the incident is reported appropriately and provide advice on reporting the security incident to regulators if it is required. Or the legal team may recommend—under certain circumstances—that the incident does not need to be reported to regulators and provide the reasons why. The legal team can also assist with recommending whether a breach notification to affected individuals is required and the proposed content of any such notification.”

Additionally, cybersecurity leaders should actively engage with the communications team to ensure that the messaging, whether internal or external, is accurate and appropriate, Kim said. “It is important to have your legal team working with your communications or media relations team to plan a response for potential media inquiries, customer, and/or employee concerns.

“The role of the lawyer extends far beyond just simply reporting a data breach. For example, with the help of the IT security team, the lawyer may investigate an incident to determine what has actually occurred,” said Kim. “The legal team can help manage the risk throughout the lifecycle of the discovery of the incident, response and resolution.”

In healthcare, breach litigation tends to be somewhat rare, but lawsuits do sometimes occur—especially in high-profile breaches, Kim noted. “Whether it is a litigation or transactional matter, your legal team should have individuals with cybersecurity expertise who can serve as advisors to assist with both technical and legal ramifications of incident response.”

3. Communicate Strategically

Does your organization have information sharing policies and procedures in place? If so, are all employees aware of them? Effectively communicating all related policies and procedures is vital to developing an effective incident response program, Kim emphasized.

Fear of reporting a potential breach internally is something that occurs far too often, which is why both internal and external information sharing policies and procedures need to be in place and employees must be made aware of them. “Organizations need to create both a culture of information sharing where employees and contractors do not fear adverse consequences for reporting suspected incidents,” said Kim. “And just as information sharing needs to occur within the organization, there are times when the information needs to be communicated externally as well.”

If an incident has a significant impact on end users at an organization—or if the breach has been reported to media—following up with clear internal communications and guidelines for employees and contractors (after consulting with your legal team) is important so all individuals understand how to respond to potential inquiries that may come from clients or customers. “The right amount of communication and to whom should be determined on a case-by-case basis, depending upon the circumstances,” said Kim.

“Ideally, the organization will already have a playbook which will set forth when certain types of communication is necessary, with whom and when. In the case of an especially sensitive situation involving a security incident, robust controls need to be in place to make sure that workforce members are keeping such information in strict confidence.”

Also important for the internal side of security incident response, is having drills in place to test your plan. The HIMSS Cybersecurity Survey, featuring the feedback of 166 information security leaders, showed that at least 70% of incidents originated by way of phishing emails. Carefully crafted phishing emails may cause even the most sophisticated recipient (including those on the IT security team) to be fooled and erroneously click or responding to such messages. How do we mitigate this serious threat?

Security awareness is oftentimes conducted at organizations only once a year. Organizations need to increase the frequency of security awareness training. Ideally, employees and contractors are trained on how to detect and respond to a phishing email. Reporting a phishing email to the appropriate point of contact on the IT security team should be easy for employees and contractors. Additionally, employees and contractors should regularly train with mock phishing exercises. Organizations should keep track of phishing metrics to accurately gauge whether the anti-phishing program is effective or whether it needs more improvement. An industry average for phishing is a click rate of 10%. Ideally, though, the phishing click rate should be lower than 10%.

It’s never too early to get the conversation about incident response started, with the ultimate goal of starting the conversation before it’s too late. By involving your entire organization in the plan, your incident response plan will be better positioned to act quickly to detect, contain and eradicate incidents.

Originally published August 13, 2019