Expanded Definition: Incident Response Plan

What is an incident response plan?

Responding to a cybersecurity incident is often a very stressful time for any organization.  Having a standardized set of processes specific to incident response will help to reduce the stress across the organization. Does your company know what to do in the event of a cybersecurity incident? An incident response plan (IR plan) is a predetermined plan that an organization creates as a framework for what will happen before, during and after a cybersecurity incident. These plans detail what needs to happen, when it needs to happen, and who will be responsible for what actions. Whether or not an organization has actually experienced a cybersecurity incident in the past, an IR plan is necessary to limit potential damage and address risk for the future.

Unfortunately, many organizations including small and medium-sized businesses haven’t taken the time to develop an IR plan despite the fact that it is a crucial component of overall cybersecurity. According to The State of SMB Cybersecurity in 2021 survey conducted by Vanson Bourne and commissioned by ConnectWise, less than half of SMBs currently participate in incident response planning.

To combat this lack of preparedness, many best-in-class cybersecurity frameworks including the NIST CSF  and the MSP+ CSF require an IR plan as part of good cybersecurity hygiene. As with any plan or program, you first need to start with a policy to outline the purpose, objective and scope. You should break down every relevant team member’s role and responsibilities, establish the severity ratings, and the requirements for performance measurements, reporting and contact forms. The plan itself should include the strategies and goals, the organization’s approach, metrics for measuring effectiveness, and the communication plan for disclosing incident information to both internal and external entities in the incident response process. Furthermore, organizations should routinely go through IR plans with their employees to ensure that they are ready when an actual cybersecurity event occurs. Preparing workforce personnel should include:

  • Testing the incident response capability at an interval established by the organization; minimum is annually
  • Assigning certain internal or outsourced personnel to be available 24/7
  • Frequently training staff who are responsible for incident response activities
  • Implementing an internal review process to update the incident response plan to address any recent industry or organizational changes

It’s impossible to come up with an effective cybersecurity response on the fly, which is why every organization, regardless of industry, should have a carefully designed, tried-and-tested IR plan.

The MSP role in incident response planning

Cybersecurity training

In order to have the security conversation with clients, MSPs must first verify that their own house is protected and that they are practicing what they preach. This means having an IR plan in place and making sure that all employees understand what it entails.

There are many free online resources, such as the ConnectWise IT Nation Secure MSP+ playbooks, that can be used to get everyone on the same page regarding incident response, from engineers to sales teams. As noted above, one of the most effective methods an MSP can use to identify potential problem areas in an IR plan is to conduct regular tests that mimic how they would respond during a real cybersecurity event.

Risk assessments

In keeping with the concept of walking the walk before talking the talk, MSPs should run a risk assessment on their own networks and systems to identify any security weaknesses that should be addressed immediately. After all, if proactive measures are taken to shore up cyber defenses before any vulnerabilities are exploited, the MSP’s response plan should not need to be used frequently.

Once an MSP is ready to begin offering cybersecurity services to clients, it’s a good idea to start an interested customer off by carrying out a strategic risk assessment of their own. This will help uncover potential cybersecurity risks such as:

  • Network vulnerabilities
  • Poor device management
  • Data compliance problems
  • Internal threats
  • And more

An effective risk assessment should also include remediation recommendations that help the client understand what they need to do in order to fix problem areas and get their cybersecurity program back on track.

Security operations center (SOC)  

As mentioned previously, cybersecurity is a 24/7 effort and most MSPs do not have the resources available to watch everything going on within the organization. An expertly-staffed SOC  can offer round-the-clock protection to ensure that cyber threats are identified and handled as quickly as possible. In fact, our research found that building an internal SOC team costs an average of $2.3 million.

That’s why many MSPs have started using an outsourced 24/7 global SOC to get all the benefits of a full-time SOC at a much more affordable price. Just like an in-house SOC, these teams provide instant response and remediation, and their services and capabilities can help cover potential gaps when formulating an IR plan.

Did you know?

Incident response plan testing combined with an incident response team reduces the cost of a data breach by an average of $2 million.

IBM Cost of a Data Breach Report 2020

Additional Resources

blog icon How to Conduct an Effective Cybersecurity Analysis: A Guide for MSPs

Cybersecurity incidents are now impacting businesses of all sizes. Your customers are likely wondering how you can help them become more secure. From privacy program reviews to incident response plan development, here are six areas to focus on when conducting a cybersecurity analysis.

Blog post >>
toolbox icon ConnectWise Cybersecurity Starter Kit

Want to start selling cybersecurity? We’ve put together a kit to help. Download the kit today for helpful resources that will transform your business from an MSP to an MSP+ model, including educational information for your SMB customers, templates, and more.

Kit >>
work plan icon The SMB Cybersecurity Checklist

How secure are your SMB clients? Chances are, they may not fully understand their risks and exposures. Use this 30-item checklist to start the conversation around cybersecurity, help them understand the cybersecurity landscape, and assess their security postures.

Checklist >>
reporting icon Cybersecurity in an Era of Competing Priorities: The State of SMB Cybersecurity in 2021

SMBs are not immune from cybersecurity risks—quite the contrary. Our 2021 survey of 700 SMB decision makers uncovered interesting findings about how these businesses are thinking about cybersecurity, their spending plans, and what motivates them when it comes to security.

Report >>
vulnerable assessment icon The Security Journey Self-Assessment

Wondering where you stand in your cybersecurity journey? Take this assessment to understand how advanced your cybersecurity knowledge is and to identify areas where you can expand upon your understanding of key cybersecurity concepts and precautions.

Assessment >>
blog icon

Even among companies that acknowledge cybersecurity is important, it’s easy for decision makers to become complacent in thinking that their defenses are “good enough.” Here are five commonly heard objections to improving cybersecurity posture as well as the real situation behind each.

Blog post >>