By Samantha Agather, Information Security Analyst – Intrinium
Understanding Incident Response, Planning and Cyber Insurance
Have you ever asked yourself if your Incident Response plan is enough? Or do you even have one? How about your cyber insurance? What benefit does it get you to have one or the other? What benefit is there to having both an Incident Response plan and cyber insurance?
There is a gray area between the digital world and the physical world when it comes down to planning for a disaster: physical disasters can cause issues with the digital world and the data associated with it. The reverse is also true, digital disasters can cause issues with the physical world by causing power outages or even causing malfunctions to sensitive hospital equipment and exposing patients to fatal doses of radiation.
Having a single backup plan, or a single point of failure in your processes should a disaster occur is a recipe for catastrophic failure.
Defining and Differentiating
An Incident Response plan is key in event of any kind of emergency. It outlines a step-by-step response plan which includes who to contact and what to do in the event of a disaster. An incident response plan is like the fire escape plan that your company is required to have to ensure the safety of your employees.
Cyber insurance is like the insurance you have on your business; it covers damages and liabilities, and certain items affect your premium. The cyber insurance may cover the cost of a security incident, but it is not recommended to have just the insurance. For example, if you didn’t have a fire escape plan but you had the insurance, people (and your data) have a higher likelihood of being hurt. Your insurance is not a substitute for process and logistics (like having a hard copy of who to call in case of an incident).
Incident Response is generally performed by a third party and (depending on the premium you pay) can be covered by your cyber insurance; these engagements cover network analysis, device analysis, forensics, and more depending on what has occurred. These are experts who will attempt to find the point of entry for the malware or find the source of the data leak and put a stop to it. They alone should not be considered cyber insurance, nor should they be your sole source of Incident Response planning; in the time between the initial problem and their arrival to assist, other devices could become infected and cause a much larger issue.
Comparing the Trifecta:
On their own, they cover entirely different categories of the same event: something has happened to put you, your customers, and your data at risk. Incident Response is the actual recovery during the incident, Incident Response Plans are how to handle the incident, and Cyber Insurance kicks in when Incident Responders have determined that there has been a security incident.
To compare an incident to a car accident or theft: your car (which also happens to have your friend’s/company’s laptop) is your data, the police are the Incident Responders, and your cyber insurance is your car insurance. And you may not have a written plan, but you know who to call and what to do – and your life is easier for all three of these pieces.
Incident Response tabletops are a great way to test your plan- it goes over a hypothetical situation that gradually escalates to the point of a worst-case scenario. It covers all aspects of an actual incident and gives you a sense of how prepared you are for a similar situation. It also checks your active knowledge on whether you have cyber insurance and what it covers or at least asks the question to point you in the direction of finding the answer.
There are other proactive ways to test your Incident Response plans but start with the tabletop. You may not like the answers you get, opening the door to contacting us. We can help you run these tabletop exercises, look at your plans and make suggestions, and suggest coverages that you would want in your cyber insurance to protect your business the best. These also help expose single points of failure (i.e. one person knowing all the details but other stakeholders not being able to execute the plan).