Fraud

Building an Incident Response Plan: How Will You Respond to a Cyber Attack?

Kroll Global Fraud & Risk Report 2016/17

Kroll’s latest Global Fraud and Risk Report survey revealed that, while 85% of respondents said they had suffered a cyber attack in the last year, the adoption of internal cyber security policies and procedures to combat the risk is shockingly low. Only 36% of executives surveyed said their company has implemented internal policies and procedures and has plans to expand. An additional 38% have implemented such policies and procedures, but they have no plans to expand. 25% have not implemented internal policies and procedures at all.

Kroll-Building-an-Incident-Response-Plan.jpgPolicies and procedures are important because they are an organization’s articulation of what it expects from its employees. Having them in place means employees have somewhere to look for guidance on what they should (and should not) be doing. For example, what information can they share on social media? What should they do if they receive a phishing email or notice suspicious network activity?

Kroll’s findings are supported by a September 2016 report from Lloyds of London on cyber risk, which reported that 92% of European companies have been breached in the last five years, but only 42% were worried about it happening again. Earlier this year, the UK Government Cyber Security Breaches survey found that 69% of UK businesses say cyber security is a high priority, but far less consider it an actionable priority. Only 29% had written cyber security policies, and a mere 10% had an incident response plan (IRP).

IRPs are a crucial component of the fight against cyber crime. They are a company’s first port of call in the event of an attack. The good news is that building one that includes both internal and external players and their various roles does not have to be an arduous task.

Companies should consider building seven important steps into their IRPs:

1. Determine authority to call an incident 

Designate an individual who has the authority to declare an incident, invoke the IRP, and convene the response team.

2. Assign team responsibilities

Clearly outline all team roles in the plan so that if an incident occurs, it makes tough decisions easier to make. Choose external advisers in advance and include them in the plan. Having to build those important trust relationships for the first time during a crisis is not ideal.

3. Avoid assigning severity levels

It may initially seem helpful to describe categories of severity, but the risk of mislabeling an incident is too great. Companies are encouraged to consider each incident as a top priority.

4. Establish communication procedures and responsibilities

Determine who will deal with external and internal stakeholders and how the information will flow. For example, where will the team meet? In a breach situation, it is important to establish the timeline of the incident and know the scale of the breach before setting the communication plan in motion. Overestimating the scale of the damage could lead to unnecessary panic. Underestimating it might cause additional harm, for example if passwords are not changed before criminals gain access to accounts. In both cases, rushing to make inaccurate statements is likely to have severe repercussions.

5.Gather pertinent information in advance

Where possible, compiling critical information before an incident is very helpful. Basic details such as the contact numbers of all incident response team members are critical, as incidents often happen outside of business hours.

6. Outline the process

Teams naturally want to solve the problem when they find it. However, this “dwell” time can be hurtful to an organization and impede the process. We suggest that all the steps—from when the team is convened to the escalation point—are clearly outlined as a robust process. It is important for IT and security teams to know the process by heart.

7. Review and test the plan

We recommend quarterly reviews and updating as needed. These are good opportunities to update the contact numbers and pay attention to changes in technology or policies that might affect the IRP.

Having an IRP in which all critical stakeholders understand the lifecycle of an incident and have rehearsed it at all levels of the business, including the boardroom, goes a long way towards being prepared to mitigate the damage of an attack.


Learn more about fraud and risk statistics and trends -- as well as innovative risk management strategies and best practices -- in Kroll’s annual Global Fraud & Risk Report 2016/17.

Global Fraud & Risk Report

Businesses saw a significant rise in fraud and risk incidents during 2016. Although companies have taken significant strides toward building resiliency, more is needed. We have expanded the scope of this year’s Report—it’s now the annual Kroll Fraud & Risk Report, breaking out specific cyber and security threats to better reflect the growing challenges that our clients are facing around the world.

Learn More

Read the Press Release

Download the PDF