Incident Response Plan for Medium-to-Large-Size Organizations

Security teams and cyber attackers are competing while simultaneously growing sophisticated in their attack and defense processes, all thanks to the massive expansion of the cybersecurity landscape. Cybercriminals have no intention of leaving the ground and are no longer looking to “rob” you but are making their best attempt to “own” your entire system, irrespective of how big your enterprise is.

Organizations, both medium- and large-sized, should worry about the “whats” as they prepare to deal with the “hows.” They may have to encounter questions like “what will happen if a clients’ data is compromised?” “What information does the hacker seek?” “What is the consequence of the incident?” While it is difficult to reply to these questions, implementing an incident response plan is the best way to survive a breach. The medium and large organizations must have a documented Incident Response (IR) plan that guides the enterprise through recovering from the attack and containing the incident. As small enterprises tend to manage with external service providers for protection and guidance, the large and medium enterprises should implement the following six steps to construct a robust incident response plan that ensures their ability to handle the attack efficiently, quickly, and with minimal damage.

  1. Prepare

First, define, identify, analyze, and prepare an incident response plan. Having an incident response plan for a big enterprise involves analyzing the enterprise’s environment and determining the essential services, components, and applications sensitive to maintaining operations in the event of the breach. The enterprise should identify essential data that need extra protection, understand where it is stored, and the value of the same. When the team understands the importance of information that you need to defend, they can lay down a templatized response plan.

  1. Build an incident response team

Once your plan is documented, you can move on to building an incident response team, who are a group of trained professionals working on mitigating the immediate issues that arise due to a data breach. The expertise from the team is trained to protect the elements identified in step 1 and respond to the consequences arising due to an incident. The incidental response manager will oversee and coordinate the communication from a technical and procedural perspective. The strength of the response team is based on the size of the organization.

  1. Define incident response requirements and resolution times

The team formed in step 2 will be responsible for detecting, responding, and mitigating damages as well as containing the incident in the least possible time. The response and the resolution time may vary depending on the severity of the incident. For clarity during an incident, document the steps that need to be taken to respond and contain the incident with a defined timeframe. The complete process should be documented and distributed to all the members, management, and stakeholders.

  1. Establish a disaster recovery strategy

The strategy behind disaster recovery is the process of fixing and restoring systems, devices, and data so that they all return to their normal behavior. Disaster recovery can greatly assist with surviving a breach by enabling regular backup and recovery processes to reduce the loss of data and potential future damages. Though it is not certain that every breach shall lead to a disaster recovery scenario, it is still advisable to maintain a practice of having a disaster recovery strategy in place. Having a defined strategy in an incident response plan ensures optimal recovery while minimizing troubleshoot challenges and preventing a reoccurrence.

  1. Run a drill

Once you have everything in place with the building of an incident response plan, run a fire drill to test the effectiveness. Start with the communication process by notifying the stakeholders, executive leadership, legal parties, press, and every one who shall be communicated about the incident. When the drill progresses, the incident response manager will act as a spokesperson and update stakeholders regularly by notifying on the process. Depending upon the industry, conducting a cyber forensic investigation may become a legal requirement. Considering forensic investigation as part of the process help the IR team in identifying areas that need improvement or remediation.

  1. Plan for debriefing

In the last step, you should consider the areas that require continuous improvement. Conclude the incident response plan by preparing and submitting an incident report, conduct a gap analysis with the entire team, and implement lessons learned as part of post-incidental activities.

No business wants to experience a data breach, but it is essential to have an incident response plan to rely on during major incidents.  With these six steps of IR, you will be equipped to deal with the disaster, resolve, and learn to avoid future attacks.

Although the incident response is considered a best practice to recover from unexpected incidents, it is still not widely implemented by many large and medium organizations. This gap exists due to a lack of qualified and experienced incident handling resources.

Few statistics to understand why incident handling should be prioritized:

Cybersecurity damages are estimated to hit US$6 trillion by 2021 [1]. Discovering and reporting a data breach in 2018 had taken nearly 50 days, which now 49.6 days and is still not satisfactory [1]. Out of 2600 IT professionals surveyed, 70% confirmed that their company responds appropriately to a cyber threat [2].

Having an incident response team is crucial for large- and medium-sized organizations. Incident response is a technical skill that needs to be acquired explicitly. To overcome the gap of knowledge requirements in large organizations, EC-Council has introduced the latest iteration on its EC-Council’s Certified Incident Handler (E|CIH) program designed in collaboration with cybersecurity and incident handling and response practitioners across the globe. E|CIH is a comprehensive specialist-level incident response program that imparts the skills and knowledge that which an organization needs in handling the incident and reducing the impact of it from both a financial and reputational perspective.


[1] https://techjury.net/stats-about/data-breach/

[2] https://hostingtribunal.com/blog/cybersecurity-statistics/

Editor's Note:
Reviewed by Vince Peeler, Sr. Manager, Cyber Intelligence Services at UnitedHealth Group and Dawie Wentzel, Head of Cyber Forensic Investigations at Absa Group Ltd.
get certified from ec-council
Write for Us