5 Common Mistakes When Building an IRP and How to Fix Them

It seems like security breaches are all we're hearing about in the news: this company was hacked, that business was attacked by ransomware, even deep fakes are becoming a thing we have to be on the look out for. So what do we do? With so many recent breaches cascading the news, how do we prevent from being the next headline? The answer is: build an Incident Response Plan (IRP).

Let me ask you, do you have an Incident Response Plan? Have you recently become concerned you might not have an air-tight a plan as you thought? Are you unfamiliar with what an Incident Response Plan even is? Did you have to research for days to figure out a simple answer to that question and still are not entirely sure?  I ask these questions because if you answered "yes" to any of them, you've probably made a mistake in the planning process. But how do you fix your Incident Response Plan if you don't know what's wrong with it? Allow me to break it down for you. 

What is an IRp?

An Incident Response Plan (IRP) is  the step by step process you have in place to answer two crucial questions: what plan do you have in place when a security breach inevitably occurs and who is going to fix it? 

Having this plan in place ensures that the right investigation happens at the right time whether it’s a threat to your business or the dreaded customer phone call frantically informing you they’ve just been infected with malware.  My point is you have to be ready. If you’re not prepared, you might be the next headline like the U.S. Marshal's Service was last week.

And maybe you’re nodding your head right now, following along with a light snicker because you’re thinking “I already have a plan, Emily, I’m fine.” But let’s face it, unless your IT team consists of Stephen Hawking, Jeff Bezos, and Superman, you might not be completely equipped to trust your plan. And where there’s a lack of experience, mistakes will happen. 

Common Mistakes when Building an IRP

Why is your company failing at incident response? It's an easy thing to do. But why? What are the common mistakes when building an IRP that impact its effectiveness? 

5 Common Mistakes to Consider When Planning for Incident Response:

1. The Plan is Only Aspirational
   Essentially, you don't have the capability or bandwidth to meet your plan objectives. Your preparation is only conversational, not actionable for when the threat occurs. Without action, there really isn't a plan at all, just a smoke and mirrors hopeful assurance. 
   
   
2. You Don't Conduct Frequent Reviews and Testing of the IRP
   This is reminiscent of every classroom fumble I ever made to which I would respond with "whatever. I'll do it live." And, after a few years of "doing it live," I eventually figured it out, but those first few times? They were rough. I had to focus more on damage control than actually providing a solution to the lesson at hand. Over time and after thoroughly investigating my objectives and goals for each lesson, I was able to foresee the problems and handle them proactively instead of retroactively. An IRP is exactly the same. Test it and review it before the threat occurs, and eventually you'll have a trustworthy plan in place for the future. 
   
   
3. You Don't Build Third-Party Partners into the Plan
   Don't forget, planning is so much easier with a partner to help you (teacher Emily relied heavily on her department chair to review and give feedback for the future). Your response plan should include all partner/vendors you're using to help you prepare for threats. In this instance, the old adage is true: no Incident Response Plan is an island. Use your resources! It will pay off in the long run. 
   
   
4. The IRP Isn't Evolving Over Time
   The ol' "I''ve got this" confidence...and then you wait. And you wait. And maybe you're lucky enough to not have a threat occur but as time goes by,  your plan gets more and more outdated. Hackers get smarter and all the while, your "secure" plan is like the high school star quarterback from 1987: all talk with worn out dreams and no backbone. 
   
   
5. You're Using an "Off-the-Shelf" Plan
   So many organizations employ generic incident response plans for a breach or threat. Basically, you grabbed a binder off the shelf titled "Incident Response Plan," dusted it off, and scanned it into your system. While this may give you a false sense of security, when your IRP isn't customized to your business objectives, needs, and goals, it will most certainly be ineffective at preventing threats. 

How to make/Fix Your Incident response plan

Unfortunately, depending on the size of your business, an IRP is not something you can accomplish on your own, nor do we recommend it unless you have a dedicated, full sized IT team to remediate security issues (PRO TIP: we'd love to help you with that!).

Additionally, as a business leader, you have a big responsibility when choosing an outsourced investigation team: make sure your partners in preventing crime have the right ideas in place when approaching your individual businesses.

So we know what not to do, but how do you make/fix your broken IRP? Get yourself a friend! 

Companies like Arctic Wolf specialize in identifying, investigating, and responding to all types of incidents including ransomware response, data breach response, and business email compromise investigations. Benefits of using their IRP are they ensure:

• Faster Response: Arctic Wolf is ready to help you whenever you need it. This mean they are available round the clock, so the next time you get the dreaded customer malware call, they're ready. 
• Complete Remediation: Their team analyzes the root cause and extent of the attack and completely removes the threat's access to the environment. This limits a cybercriminal’s ability to create backdoors and regain access.
• Quick Restoration: Arctic Wolf is one of the few teams who prioritize data recovery and restoration while simultaneously conducting the threat investigation. This ensures you get back to business faster.  

Centre already trusts Arctic Wolf to help protect us from future threats, but in order to have a complete plan in place, it must be customized to our business goals. I spoke with our Chief Information Security Officer, Anthony Leatherwood, for Centre's customized steps to creating an effective IRP. 

• Identify and understand your IT environment so you know what risks are possible
• Conduct an inventory of the assets you have now so you know what you need for the future
• Interview or observe vendors you want to partner with. If they don't understand you, they'll never help you! 
• Create and investigate a Business Impact Analysis. Is the security impact of that partner helpful? If not, you need a new friend! 
• Finally, create an Incident Response Plan, a Business Continuity Plan, and a Disaster Recovery Plan. Basically, plan for threat incidents, plan for getting back online, and plan fir the worst. 

• Test it and revise as needed! 
  
  
• Here's a case study to help you learn a little more about that process. 

Want to know more? 

We've got you covered!

Who said response planning has to be boring? Check out our March Madness Secure Your Bracket webinar to learn more about Arctic Wolf's IRP process and hear from ESPN's, Joe Lunardi, for his March Madness picks and upsets!