Incident Response Exercises: What They Are And How To Set Them Up For Your Business
Is your business ready to respond to a cyberattack or security breach? And are you sure that your employees know how to respond to and report an incident should one occur? If you’re not convinced that your teams know your Incident Response Plan (IRP), you need to take action right away. Under GDPR businesses are legally obligated to report a cyberattack or data breach within 72 hours of discovering it. Not only this but as a business owner, you’ll want to address any harmful breaches and get things back to normal as quickly as possible. An effective Incident Response Plan is the way to do this.
So once you’ve got your IRP in place, how can you make sure your team is prepared to implement it? By running an Incident Response Exercise. In this guide, we’ll talk you through what an Incident Response Exercise is, why these are beneficial and how you can set these up for your business. Read on to find out more.
What is an Incident Response Exercise?
Your Incident Response Plan (IRP) is your blueprint for dealing with a security breach. Every business needs to get an effective IRP in place as part of remaining GDPR compliant and ensuring that staff can recognise and respond to an incident, to help them recover the data and stop the problem developing any further.
So where do Incident Response Exercises come in? These are practical ways to test and validate your IRP, challenge your staff and highlight any flaws in your plan that need to be addressed. For example, you may notice that not all staff know who to report a security breach to or that your plan doesn’t allow for you to report the breach within the allotted 72 hours. It is also a good way to ensure all employees know their roles and responsibilities, as well as re-educating them on how to spot the signs of a hacking or data breach through hands-on experience.
These are an important part of staff training and can really help to keep your data secure and reduce the risk of a cyber attack. All those taking part in these exercises will deal with a staged or past incident set out by a senior member of the team, and through hands-on activities, they must implement the Incident Response Plan and address the breach. This can be great in highlighting any gaps in your IRP, as well as checking that staff know what they’re doing.
As a general rule, the exercise aims to test your team and your IRP against the following questions, so it’s a good idea to keep these in mind when we cover how to set up an Incident Response Exercise in the next section:
- What should you do if you encounter a breach?
- Who do you report it to?
- How long do you have to report the problem and when should you report it?
- What are the roles of everyone in the team?
- What roles do the legal and IT teams play?
- What resources are available to you should you need them?
How can you set up an Incident Response Exercise in your business?
There are several ways you can approach these Incident Response Exercises depending on how big your team is and how far you want to go with it. Below we’ll look at the aspects that you need to take into consideration when setting up one of these exercises, as well as the types of scenarios you can choose for your team.
Deciding who needs to take part
Who takes part in these exercises will depend on the size of your business. For example, if you are a large organisation (of over 250 employees), it might be impossible to involve every single team member. In these instances, you might wish to invite only managers and senior staff and ask them to relay the information to their teams at a later date. Alternatively, you could run several training sessions until everyone has attended.
For those who run smaller businesses, you may be able to include everyone on your team, even if you have to run more than one exercise. It can be tricky getting everyone involved, but it really pays to ensure that your whole workforce is aware of your IRP and what they should do if they notice a breach or any suspicious behaviour. But in the end, it is down to your discretion who is involved in the training exercise, just be sure that the activities/scenarios you set out corresponds with the number of people taking part.
Deciding which type of exercise to run
When planning an Incident Response Exercise there are different approaches you can take. You need to choose what is referred to as an ‘input’ this is essentially the task you’re going to set for your team to tackle. You can pick from any of the different types of inputs, these include:
Scenarios: This requires setting up a fake situation that supports the objectives of the exercise i.e. implementing the IRP. The situation you set up is used to give context to those participating and you then see if they are able to identify the causes of the fake breach and how they respond to it.
Internal reports: These are reports which contain information that indicate a security issue and the team must identify what has happened. If you use real case studies from your business you may need to get permission from third-parties allowing you to include sensitive information.
Media reports: Providing articles about well-known businesses that have been victims of cybercrime and the details of the case.
Scripted injects: Not strictly an input in its own right, but in order to develop your given scenarios or case studies, you can have new information delivered mid-exercise to expand the discussion. This can make it more realistic and encourages staff to adapt and think more critically.
A contingency plan: This is a dryer approach and simply provides staff with all the risk management documents outlining everyone’s role, the processes that are in place and what needs to be done to address a security breach. You’ll go over these during the exercise.
Making sure you’ve got everything prepared
The final part of setting up your Incident Response Exercises is ensuring you’ve got all the materials (also referred to as outputs) that you need to conduct the tasks. These could be agendas, handouts, media or internal reports, notes, plans or anything else that your team are going to need in order to complete the exercise as effectively as possible.