Business basics
Te hanga i tētahi mahere urupare maiki

Create an incident response plan

We’ve outlined some simple steps to help you evaluate how an incident could affect your business and what you’ll need to consider when putting an incident response plan in place.

8 mins read

What it is

An incident response plan is a step-by-step guide that documents who will do what if a cyber security incident occurs.

Having a plan in place before an incident occurs will help you take control of the situation, navigate your way through and reduce the impact on your business.

How it works

Your plan will depend on the size, scale and operation of your business, but there are some standard elements to consider that will help in recovery.

How you want to document or format your plan is up to you. What’s most important is that:

  • it’s written down in hard copy and everyone knows where it is
  • it’s easy to access
  • it’s short and clear enough to read quickly and easily
  • staff are familiar with it before they need to use it.

It’s likely that people who need to use the plan will be under pressure, so it’s important that the language is clear and simple and the steps are easy to follow.

Creating an incident response plan

Take some time to go through a cyber security risk assessment for your business. This process will help you identify the specific risks that may apply to your business, and what to put in place to reduce the chance of an event occurring.

Online security risk assessments for your business

1. Identifying and reporting incidents

Outline a process to help your staff identify and report suspicious or unusual activity that might indicate a cyber security incident has occurred.

It should clearly state:

  • what you want staff members to do if they suspect an incident has occurred, and who they should report it to
  • what to do if a staff member receives a report from a customer about something unusual on your website or with a software product
  • how customers should let you know if they notice something unusual on your website – for example, you could provide a contact email address.
Example process

You run an online retail store and one of your employees notices suspicious activity on the website – unusual images displaying or a problem with the payment portal. The reporting process might be:

  1. Employee reports issue to the manager.
  2. Manager contacts technical support.
  3. Manager reports the incident to CERT NZ. 

Security incidents might not be obvious right away, so make sure you and your staff know what to look for, and have systems in place that check for unusual activity.

Set up logs and monitoring for your website

2. Determining the scale and response required

Different types of incidents will need different responses. Outline the process you’ll follow to identify the scale of the incident and its potential impact.

Being able to identify this early on will help you establish:

  • the level of response you will need
  • the size of the team you’ll need, and
  • what external help you may need to call in.

For example, if a staff member clicks on a link in an email that downloads malware onto their computer, you’ll need IT help to remove it from that computer, and confirm it’s been removed and hasn’t spread to other computers in your business.

Consider making one response plan for a small incident and one for a larger incident – that way, whoever’s in charge at the time of the incident can reach for the right plan. You can always scale the plan up or down as you learn more about the incident, but this section outlines which plan will be your starting point.

3. Establishing roles and responsibilities

Knowing who does what in an incident will save time, avoid confusion, and provide staff with a clear idea of what they need to do. 

In this step of your plan, you’ll need to assign people to:

  • Coordinate the response: This role leads the incident and takes responsibility for the decision making. The response might require a lot of coordinating and decision making – the person leading the response can be anyone, but should not be the hands on technical person, particularly for a larger incident.
  • Investigate the incident: This role has the technical expertise to investigate the issue, contain it and take measures to prevent it happening again. If it’s a very complex issue, several people might need to investigate.
  • Communicate to staff: This role is responsible for keeping people up-to-date as the incident progresses. They’ll need to organise regular progress updates to make sure everyone knows what’s happening and what the next steps are. Scheduled progress updates will help everyone stay focused. Key information should still be shared outside of those times.
  • Communicate to stakeholders: This role manages the external communications process – preparing messages to affected customers and shareholders, and possibly a media response. In a larger incident, you may want to call in help from an external communications specialist.
  • Manage business as usual: Your business will still need to operate, even if your IT systems are unavailable, or under the control of an attacker. This role makes sure the correct processes are followed that will keep the business functioning as much as possible, and will lessen the impact of the incident.

In a small incident many of these responsibilities may be done internally by your IT person and a business manager. In a larger incident, you may need to use external help to cover the same responsibilities. It’s important to identify who you can call on to fill these roles ahead of time.

Choosing an IT service provider

Make sure staff know what their role and responsibilities are, so they're prepared and know what to do if an issue occurs.

4. Maintaining business as usual

Develop alternative business processes staff can follow if your IT systems are unavailable or compromised. This means your business can continue to operate, even in a limited capacity, while you get the incident under control.

For example, if you run a construction company and can’t access your emails, you might not be able to process invoices, confirm orders and communicate with some customers. Your operational processes will be limited and some services, orders and payments will be delayed, which may impact some customers and suppliers. While you deal with the incident, you might want someone else making sure the construction crew are organised and have what they need to continue with their work.

Identify these key business processes as part of, or alongside, a business continuity plan.

5. Creating a contact list

Create a contact list of internal and external people who can help you in response and recovery. Go back over your plan and make sure the details of all the people and services mentioned are included on your contact list.

Your contact list would likely include your:

  • IT service provider
  • banking services
  • website host
  • lawyer.

If your plan involves external support, chat with them while you are developing the plan about the level of support they can provide and what the timeframes will be. You might have vendors to consider as well as your general IT support.

6. Communicating the incident

Once the incident and scale has been identified, you’ll need to communicate this with staff and any affected parties.

Let staff know:

  • where they will get incident information from
  • what they can or can’t say publicly during an incident
  • where they should point customers or the public to so they can report their questions and concerns as quickly as possible.

It’s important to have clear and consistent messaging to make sure all staff are on the same page. If you have a large team, consider a staff briefing.

If the incident takes more than a day to resolve, keep everyone updated. Many people in debrief meetings mention wanting more updates.

7. Managing the response

Create a list of what you’ll need as you handle the incident and any details on how to make sure those things are readily available.

Your list might include:

  • resources you’ll need
  • a method to quickly approve any expenditure
  • after-hours access for staff and external support
  • a quiet place to work, particularly for sensitive issues.

If you've had an security incident

Report any cyber security issues you have to CERT NZ, even if you have things under control. They’re a great second pair of ears, they can confirm you’re on the right track and point out any other tips to prevent it happening again. There might be other businesses with the same issue – CERT NZ can identify this and alert others before they get hit by the issue too.

Get help now

8. Keeping an incident record

Prepare an incident record document. This could simply be a table where times, actions and decisions are recorded. You may want to assign the incident record keeping to someone in the incident response team.

Having a record will be useful for lessons learned, any insurance claims and/or external investigations. Plus, it’s usually easier doing it at the time than trying to remember and record it later.

9. Debriefing once the incident is resolved

Make sure you include a debrief meeting in your plan. After an incident has been resolved, meet with the key people involved to discuss what happened, what went well, and what could be improved.

Use your debrief findings to update your incident response plan with any lessons learned. You may also want to make changes to your day-to-day systems and processes.

10. Practice makes perfect

To get the most out of your incident response plan, set some time aside to talk your staff through the plan and get them on board so everyone knows what to do if an incident occurs.

It’s also a good idea to run through a practice scenario every 6 months to make sure you’ve recorded any updates to your contact list, roles or policies.

Get help

If you’ve experienced an online security issue, your first step is to contact the service provider.

You can also report an online issue or security incident to us at CERT NZ.

Get help now