In 2024, cybersecurity incidents have become a matter of “when,” not “if”. With organisations of all sizes – from established enterprises or new startups – today storing most of their valuable information digitally, no one is spared by attacks from cybercriminals.
As a leading digital hub in the region, Singapore has seen its fair share of cyberattacks in recent years. Online marketplace Carousell previously reported a data leak that affected around 2.6 million users, with the database sold on the Dark Web and hacking forums. More recently, Marina Bay Sands, Singapore’s iconic luxury hotel, saw the email addresses and mobile phone numbers of its Sands Lifestyle rewards program members accessed in a data breach.
For startups especially, security breaches can make or break the business, leaving behind devastating consequences that go beyond mere monetary loss. As a new entrant to the market, tarnished brand reputations and eroded customer trust, along with possible legal implications, can have a profound impact on the business.
In this landscape, organisations cannot afford to take a reactionary approach toward cybersecurity and need to have a tailored and specific plan in place to prepare for near-inevitable cyberattacks.
A good starting point for this is the cybersecurity Incident Response Plan (IRP).
What makes a good IRP
The IRP is a critical document that prepares an organisation for handling a security incident. It documents a list of procedures that details specific actions to take, pertaining to cyber threat detection, response, and recovery. This helps the organisation consolidate resources and respond quickly during a security incident.
Also Read: Demystify cybersecurity: EPP vs EDR vs MDR vs XDR
A good IRP documents the roles and responsibilities of the relevant stakeholders across the organisation that make up the incident response team. For instance, it identifies the incident response managers who would decide on the appropriate response plan during a cyberattack, the security analysts who would review security logs and detect suspicious activity in the IT landscape, and the communication teams who would inform affected stakeholders regarding the cyber incident.
It should also make clear how security events and security incidents are defined and categorised. Not all events become incidents; a security event should only be recognised as a security incident when it produces consequences, such as a violation of confidentiality, integrity, or availability of your organisation’s systems or data.
Putting the IRP into action
In the context of a data breach, the IRP should cover:
Immediate actions upon breach detection
Upon breach detection, organisations should investigate their security reports and alerts to ensure that the incident is not a false positive. Once validated, they should collect incident data – through tools such as Security Information and Event Management (SIEM) – for an initial assessment of the extent and impact of the breach. Stakeholders, such as the leadership, IT, communications, and legal teams, should also be notified at this stage.
Damage control for affected parties
Following the verification of a security incident, the next step is to contain and eliminate the threat. Here, the IRP should list out possible response procedures and strategies to contain and mitigate the threat, followed by a recovery plan. This could entail re-installing affected systems, restoring data from backups, or changing users’ passwords if passwords are compromised.
Also Read: How an AI cybersecurity company harnesses the power of AI for optimal business performance
Preparing and relaying a public response
Concurrently, the organisation should develop a communication plan to ensure the effective and timely delivery of information to relevant stakeholders, including employees, customers, law enforcement, and the media. It is important that the communications team, together with legal advisors, craft clear communications, conveying urgency, transparency, and responsibility. Having proactive updates using insights from SIEM can be helpful in demonstrating the real-time status of the attack and the effectiveness of containment measures.
Strategies for remediation and recovery
In the aftermath of a cybersecurity incident, IT and leadership teams will need to conduct retrospective analysis to understand the root causes of the incident and take steps to ensure that the vulnerability is addressed. Proactive and transparent communication on efforts taken to reduce vulnerabilities will play a pivotal role in trust restoration.
In today’s ever-evolving cybersecurity threat landscape, the need for a well-crafted IRP cannot be overstated. Cyberattacks have become a pervasive threat, and it is clear that merely reacting post-incident is no longer sufficient. Moving forward, proactive planning will be key to building cyber resilience.
As we navigate the digital age, the case for a robust Incident Response Plan stands stronger than ever, as it not only safeguards against cyber adversaries but also fortifies the foundation of a company’s brand trust and integrity.
—
Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic
Join our e27 Telegram group, FB community, or like the e27 Facebook page
Image courtesy: Canva
The post Proactive defense: The role of incident response plans in cybersecurity appeared first on e27.