At a time when, some days, it may feel as though cybercriminals are playing chess and the rest of us are playing checkers, there’s one thing that a company or organization can do to help make sure it’s ready when a cyber incident or cyberattack occurs.

Because while it’s essential for all of us to keep creating strong passwords and using multi-factor authentication, practicing cyber hygiene is only part of the equation. At some point, it’s (more than) likely you’re going to take a hit, as evidenced by the fact that, in 2023, there was a 72 percent increase in the number of data breaches since 2021.

To borrow a line from the movie, “City Slickers”, the one thing is making sure you have an incident response plan.

Having a written document, one that’s formally approved by your company or organization, is crucial and it’ll help you before, during, and after an incident (even those in which you suspect something may have happened). More than that, it enables people to understand their roles and responsibilities and it’s a good opportunity to provide any kind of guidance that is needed for key activities.

Here in Indiana, to get you started, there are a wealth of free-to-download resources available on the Emergency Response and Recovery page on the Indiana Cyber Hub website. In addition to the Emergency Manager Cybersecurity Toolkit 2.0, there are four cybersecurity incident response plan templates (including ones for county and city government). Each template is easy to use and designed in a format that fits with your type of business or organization.

Before it Happens

Of course, the first step in any process, in which you expect your staff to be prepared, begins by providing them with the training they’ll need, along with the understanding that comes with anything that’s new; for everything from what they’ll want to look for when reporting something that’s suspicious to being sure that’s you are gracious, in the event someone reports a false alarm.

Among the other things you’ll want to prepare “before” an incident includes:

• Meeting your CISA regional team. (Yes, this is something you can use as a resource). You can find your regional CISA office information here.
• Meeting and getting to know your local law enforcement agency team. In coordination with your attorney, get to know your local police or FBI representatives. This will help you, so that you’re not just meeting them for the first time when something happens.
• Print these documents and the associated contact list and give a copy to everyone you expect to play a role in an incident. During an incident, your internal email, chat, and document storage services may be down or inaccessible.
• Review your plan quarterly. The best response plans are living documents that evolve with the changes occurring within your business or organization.
• Making sure you have responses for the news media prepared in advance. If a reporter calls you, claiming to have data stolen from your file, you’ll want to be ready with information that’s accurate and appropriate to the situation.

When it Happens

During an incident, there’s three important assignments you’ll want to have identified ahead of time, including the roles of an incident manager (to lead the response), a tech manager (to serve as the subject matter expert), and a communications manager (to handle the information that’s shared internally, as well as with the press and your external stakeholders (i.e. shareholders, customers, school community).

After it’s Over

After a cyber incident is over, you’ll want to formally report out the known timeline for the incident itself and ask others for additions and edits. In going through this step of the process, be sure that these discussions must be blameless. For this part of the plan to have any value, people need to feel as though that they are free to openly discuss the incident in an environment that’s safe and supportive. Security incidents are rarely the result of one person’s action; the focus needs to be on the processes and identifying ways that it can be improved.

Another outcome will be to update any policies or procedures from the discussions that take place and, most importantly, you’ll want to be sure to communicate the findings – from what you’ve learned – with your staff. In doing so, you’ll provide the kind of transparency that builds trust and many staff will appreciate hearing how seriously the leadership of your company or organization consider security to be as a priority.

In the movie, when Curly is asked what’s the “one thing”, he replies “…that’s what you got to figure out”.

When it comes to having an incident response plan, what you decide and how it works will depend on a number of factors and, in all likelihood, it’ll be driven by how your school, local government agency or business is structed, but that’s OK, so long as what you’re doing helps keep everything – and everyone – safe and secure.

If it were a plot, cyber always offers it fair share of twists and turns and sometimes you don’t always know who’s the bad guy. But, with some proactive planning, you’ll have an opportunity to write a happier ending.