Incident Response Plan

Envision IT Pressroom | January 19, 2022

Envision IT Pressroom
January 19, 2022

Just how prepared is your organization to respond to a cyber-attack? Does everyone agree that you need to have a coordinated and robust plan? Are your current plans compliant with your existing cyber-security insurance policies? If not, here are some interesting findings from recent studies gauging preparedness: 

  • Only 14% of small businesses view their cyber-attack and risk mitigation capabilities as highly effective.  

  • More than 40% of SMBs do not have any cybersecurity plan in place. 

  • One in five small companies does not use endpoint security, and more than 50% SMBs do not have in-house IT security experts. 

If your company was on the receiving end of a cyber-attack, to borrow a phrase from Ghostbusters, Who You Gonna Call? What if you had no-phones, no-computers, no-email, no org-charts, no contacts, no help desk, no-authentication, no Zoom, no wireless, no internet. What would you do? 

There’s no time like the present to build out the answers to those and many other questions through a robust, detailed, and relevant incident response plan. But where to start? Your Cyber Security MSP is a great place to start understanding the components of a robust plan.   

The National Institute of Security Technology (NIST) has produced a detailed Computer Security Incident Handling Guide which outlines the key elements of an effective incident response plan, including providing a number of scenarios to consider when drafting a plan appropriate for your company, your industry, and the sensitivity of the data you are entrusted with. 

The key elements of any plan are: 

  • Mission (Why) 

  • Strategies and goals (What) 

  • Senior management approval (Who) 

  • Organizational approach to incident response (What) 

  • How the incident response team will communicate with the rest of the organization and with other organizations (When) 

  • Metrics for measuring the incident response capability and its effectiveness (What) 

  • Roadmap for maturing the incident response capability (What) 

  • How the program fits into the overall organization (Why) 

As you work with your team to build your response plan, you should remember to include: 

  • Contacts for key people 

  • Insurance contacts 

  • List of planned recovery resources (spares, cloud, BYOD, Backups) 

  • What order to recover systems (ERP, Payroll, Email, etc) 

  • Plan to maintain forensics for analysis 

Finally, it’s critical to plan table-top exercises to test the veracity of your plan. Oftentimes, when organizations have an attack and things that they assume to be true will not be true.  

For example, assume you try to log into your hypervisor management console, which is dependent on Active Directory. What if Active Directory was hit by ransomware? You can't log in to start restoring servers. There may be workarounds, but they could also cause a delay and time is of the essence. If you had these and other scenarios played out via table-top exercises, you could anticipate what you would need to do. 

It is important to experience the exercise once or twice to understand what roadblocks you might encounter and build them into the incident response plan. You can discover the obstacles and build the solutions into the plan before you need to use them. 

Proactive MSPs can facilitate these exercises which are typically an “all hands-on deck” affair with every critical business unit and personnel involved to build out and test the plan.  

To learn more about how Envision IT can maintain the health of your technology environment, strengthen your security posture, and help your organization address the ransomware crisis from “readiness to response, visit us at or give us a call at 608.824.2060. 

Tags: Security