How would your nonprofit respond to a cyber incident?
That is, essentially, the question that an incident response plan seeks to answer.
Incident response plans are a valuable component of strategic nonprofit cybersecurity. Unfortunately, many organizations don’t have a robust plan in place – or, really, any plan at all. NTEN reports that 68% of nonprofits don’t have documented policies and procedures in case of a cyberattack. That’s the bad news.
The good news is that with a plan in place, your organization can drastically reduce cybersecurity risk. We’re here to help. In this article, we’ll discuss answers to four of the most common questions around incident response plans:
- What is an incident response plan?
- Why is an incident response plan important?
- What should be included in an incident response plan?
- How should incident response plans be maintained?
With this information, you should be able to update (or begin crafting) your plans to improve your cybersecurity stance. Let’s dive in.
What is an incident response plan?
Incident response plans are documented protocols and steps that are designed to help organizations effectively respond to cybersecurity incidents. Basically, they give organizations a game plan to make addressing cyber incidents easier.
Cisco defines an incident response plan this way: “An incident response plan is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.”
As that definition alludes, your nonprofit may craft a generalized incident response plan, but it should also deal with specific scenarios directly. It’s best to be prepared.
Why are incident response plans important?
The answer to this question is straightforward: incident response plans help organizations to minimize cyber damage.
Plans help organizations to be prepared. Just as pro sports coaches spend time crafting game plans in preparation for opponents, your organization should spend time crafting plans to respond to incidents – because proactive, strategic thinking tends to be better than reactive thinking.
If a cyber incident happens and no plan is in place, you’ll probably respond less effectively. You may be disorganized. The consequence is that your organization may face more damage.
What should be included in an incident response plan?
Here’s what nonprofit incident response plans should entail.
The roles of incident response team members.
Plans should document and clarify the roles of response team members, noting the responsibilities and decision-making powers of these parties. This may go as far as naming individuals (i.e. “Veronica will function as the Internal Incident Manager”), but more likely it will define roles at the positional level (i.e. “The acting CISO will function as Team Leader”).
Clarify who will organize internal communications, who will communicate externally, and who will take specific containment and mitigation steps. With clear role definition, response will be far more efficient.
Communications protocols and chains of command.
Communication protocols should be outlined, too, so that team workflows are smooth and efficient. You should define channels you’ll use; if your network is compromised, for example, you probably shouldn’t be corresponding using the organization’s email platform. You may want to look into secure communication platforms for this purpose.
Additionally, your plan might include communication scenarios for multiple breach or incident types. Communication might flow differently in the event of a data breach than it might in the event of a ransomware attack.
Containment and mitigation tactics.
This is where things start to get practical – and a bit technical. You should define the steps you’ll take in the event of various incident scenarios to contain risk and minimize damages.
For instance, in the event of a data breach, what steps would you take to harden uncompromised systems? Would you shut systems down in the event of an incident – and how would you make the decision to do so?
Working through containment and mitigation strategies proactively can allow for more intelligent decision-making before you’re under the pressure of a real response.
You’ll also want to include external considerations in your plan – security incidents often affect parties who aren’t part of your organization.
Your plan should identify any external or regulatory reporting requirements and establish action steps. This might include payment card industry requirements, HIPAA reporting requirements, or other regulatory protocols, depending on who your nonprofit serves and the nature of your work.
External forensics strategy.
Plans should account for any external assistance that may be needed in the event of an attack and develop those lines of communication proactively.
If you’ll need to work with third-party vendors in the event of a data breach, for example, develop a list of possible partners and open up dialogue with them before a breach ever occurs. In the event that an incident occurs, you’ll have a shortlist of contacts to turn to.
How should incident response plans be maintained?
This is the after-action stage of incident response planning, and it involves two main action items:
Review and update your plan regularly.
Incident response plans should be updated as contexts change (for instance, as internal players and external contacts change, or as new technologies emerge.) This should certainly be done after an incident, as you can analyze what worked and what could have been improved.
If there are no incidents, you should schedule regular periods of review to keep plans up to date. At the very least, plans should be updated on an annual basis.
Test the plan.
It’s also important to test plans to ensure that they work effectively and that individuals are ready to fill their roles. Testing helps to build preparedness so that plans remain top-of-mind.
Ready to reduce cybersecurity risk for your nonprofit?
Creating and maintaining an effective incident response plan can reduce the amount of cybersecurity risk your nonprofit faces. If you want to take the next step toward better cybersecurity, get in touch with us.
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value.
As a result, cyber damages are all too common.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
Incident response plans are a vital part of any robust cybersecurity stance – but working with us can reduce the likelihood that you’ll experience an effective attack in the first place. If you’re ready to gain peace of mind about your cybersecurity, let’s talk.