An Expert's Incident Response Planning Checklist for Midmarket IT Leaders
'Response planning is so critical.'
"Response planning is so critical," Kevin Mekler stated bluntly on stage at the MES Midsize Enterprise Summit Spring 2024.
Mekler is an attorney and partner at law firm Mullen Coughlin. The former contract lawyer now spends his time advising clients on preparing for and responding to security incidents.
Because of limited resources, mid-sized businesses will typically turn to third-party services to aid them in their incident and response strategies. However, Mekler stressed the importance of understanding what your organization's needs are when it comes to incident response planning (IRP) and to have clear insight into what is happening at all levels of IRP, even if outsourcing.
One of the main ways to build strong IRP is to know what IRP exactly consists of Mekler suggested.
Incident response planning "comprehensively addresses how an organization is going to handle a cybersecurity incident of varying levels, while providing flexibility to the incident response team to utilize discretion depending on the incident," he said.
In fact, IRP is increasingly built in as a requirement in many state and federal regulations.
Mekler's IRP Checklist For Midsize Organizations
- Think about the third-party breach. "You rely on a host of outside partners to support you, or to be part of your infrastructure and you have no control over what they are doing, except on the front ends."
- Cross department teamwork. It is important for technical IT staff and operations staff to work together on an incident response plan.
-"Don't just go find an incident response template and dust it off," he said. Create a plan that fits the unique needs of your organization. Mekler said every client he works with, even those in the same sectors, have differing IRPs.
- Work on developing a solid chain of command for reporting incidents and suspicious activity. "Most organizations that I work with fall down on event escalation ... people need to know what they are seeing, and they need to be able to tell somebody else [and not be afraid of] telling the right person."
- Keep good track of all your contracts. "How many contracts do you have with vendors? ... Do you have clients and customers? Who are your regulars? What ... do your contracts say? What is actually defined as an incident?"
- Know where your most sensitive data resides. " Maybe you've got a third- party cloud, that's great," Mekler said, but know where they are keeping your critical data.
- Know your regulations. "If you are regulated by the SEC, and HHS, FTC, SEC...and all the other alphabet soup ... some of those do actually preempt state law."
- Obtaining cyber insurance may be inevitable. "There is going to be insurance that is ‘part and parcel,'" of an IRP, he said.
- Include public relations in your IRP. When a breach does happen, PR is crucial. "There are going to be communications that need to go to internal staff, customers, ultimately individuals outside the organization, regulators, etc." Merkel said.