What Should a Cyber Incident Playbook Include?

Alastair Horner

Do You Really Need A Cyber Incident Playbook?

As part of business continuity planning most organisations have a disaster recovery plan in place in case of a fire, flood or other business impacting incidents, so why should planning for a Cyber Security incident be any different?  Building a strong Cyber Incident Playbook is vital and works together with in tandem with other procedures should issues arise.

Recently Norsk Hydro found out from bitter experience just how much it would cost to get their business back to full strength after a cyber attack – an eye-watering £45m!

What Does A Cyber Incident Playbook Do?

A Cyber Security Playbook provides members of your organisation with a clear understanding of their roles and responsibilities relating to Cyber Security before during and after an incident.

In the event of such an incident steps need to be implemented for key actions. These include:

  • Communication – Managing media and internal relations
  • Detection of incident – Who needs to be notified, what analysis and further investigation is needed
  • Response – Containment and remediation followed by restoration

What’s The Best Approach?

There is never going to be any one approach that fits every organisation for a Security Playbook. So before defining a definitive strategy right for you it is vital you have a clear understanding of what data is most important to protect.

investigate the data

A step-by-step guide of key actions needed is the next stage in the process of creating a strong cyber incident playbook.

In terms of what should actually be reviewed and included in a cyber security playbook some key areas are listed below:

  • What type of incident is it?
  • How will you detect the incident?
  • what would the potential impact of the attack be?
  • Plans for dealing with the attack and the strategy for recovery
  • Who needs to be involved internally and externally?
  • Notifications both regulatory and statutory required with necessary time frames
  • What is the process for the incident to be managed, are there requirements for specialists to aid internal teams?
  • Is third party support required?
  • What lines of communications are needed?
  • Review of any current business continuity plans and recovery strategies
  • Identify actions that can be taken to support affected parties
  • Priorities and objectives for the type of incident
  • Employee training for such an event
  • Drills and practice exercises so everyone is aware of their role
  • Evaluation of whether your response plan is successful

Every organisation is different so the content of your own cyber incident playbook may alter depending on your individual needs. Cyber Security incidents themselves are always going to be difficult to manage, especially at the start. If you suffer from property theft or a fire the incident consequences are obvious where as a with a cyber breach there is often nothing immediately tangible, therefore it can take time to identify the true impact.  So the more you plan and train your staff, the better your response will be when these situations arise leading to better response and more successful business continuity.

If you want to understand more about a Cyber Incident playbook activereach security professionals can help, contact us, call us on 0845 625 9025 or download our eBook: How to Build a DDoS Response Playbook with DDoS Testing.