Importance of Incident Response Reports

By Tyler W

January 21, 2023

Importance of Incident Response Reports

One of the most common initiatives we provide to clients, regardless of their business size is the development of an incident response report. We specialise in helping small businesses (and individuals) navigate their cyber security requirements and set up. However, we do this with the overarching requirement of not negatively impacting their operational efficiencies. Businesses who do not specialise in cybersecurity rarely make profits from cybersecurity, and this is the reason we require any solutions introduced to be as transparent as possible. If cybersecurity is too hard, it will be abandoned.

Very few small business enterprises have an incident response plan, and that is because they do not know they need one. These are not a mandatory requirement, but come highly recommended by us. When a victim suffers an attack it is almost paralysing, they do not know what to do, they do not know how it happened and they do not not who to call. When we are contacted after an attack (as is often the case) we always commence with the request of a copy of their incident response plan, to which we receive an overwhelming "a what?". Regardless of what happens next in our engagement, a note is made to ensure we revisit this at the completion of the attack triage.

The purpose of an incident response plan is to take the anxiety out of an attack and ensure your systems are robust prior to an attack. Each entity's incident response plan will be bespoke, we don't believe in the cookie cutter approach as it fails to get client buy in and helps make the initial decisions in the aftermath of an attack - it guides you through who is responsible internally, who to call externally, and any immediate network actions that need to be taken. Sometimes 'automating' these initial decisions can assist in gaining the momentum to navigate an attack.

The other benefit, and arguably, main benefit, of an incident response pan is that it helps identify network topology, critical assets that need protecting, and identifying weaknesses and threats in an enterprise set up (as well as the positive strengths and opportunities). Not everyone understands cybersecurity, and not everyone understands their requirements, but one thing business owners understand is their business at a macro-level and this helps in the development of a robust, current and actionable incident response plan.

Some of the key components, or starting point of an incident reposne plan are:

• Identify key personnel, and their roles / requirements after a cyber incident.
• Clearly identify what is deemed a cyber incident (and class accordingly).
• Analysis, containment and eradication of the incident.
• Recovery, inluding identifying what went right, what went wrong, and the root cause of the incident.
• Managing and maintaining information security during, and post, the incident.
• Notification (such as to ACSC, and police) and enforcement.
• Logging of all information, and preceeding events.

Once again, each incident response report will be unique (ideally), and it's length will be determined by the size of your enterprise, and the level of detail you can / want to go in to.

An incident response plan is also not a set and forget document, that you prepare for a 'just in case' or to satisfy insurance requirements, it should be an important living and breathing and document to help keep you cybersecurity current, and aid in providing additional cybersecurity protection. An incident response plan can look however you want it to look, it is not a reporting document, but does need to provide clear instructions to your incident response team. Hopefully the only time you need to rely on this document is when you come to review it, but should it be required as a result of an attack, you will be glad you have one. So, let's write one and start your cybersecurity improvement journey!