What is an incident response plan?
Responding to a cybersecurity incident is often a very stressful time for any organization. Having a standardized set of processes specific to incident response will help to reduce the stress across the organization. Does your company know what to do in the event of a cybersecurity incident? An incident response plan (IR plan) is a predetermined plan that an organization creates as a framework for what will happen before, during and after a cybersecurity incident. These plans detail what needs to happen, when it needs to happen, and who will be responsible for what actions. Whether or not an organization has actually experienced a cybersecurity incident in the past, an IR plan is necessary to limit potential damage and address risk for the future.
Unfortunately, many organizations including small and medium-sized businesses haven’t taken the time to develop an IR plan despite the fact that it is a crucial component of overall cybersecurity. According to The State of SMB Cybersecurity in 2024 survey conducted by Vanson Bourne and commissioned by ConnectWise, less than half of SMBs currently participate in incident response planning.
To combat this lack of preparedness, many best-in-class cybersecurity frameworks including the NIST framework CSF and the MSP+ CSF require an IR plan as part of good cybersecurity hygiene. As with any plan or program, you first need to start with a policy to outline the purpose, objective and scope. You should break down every relevant team member’s role and responsibilities, establish the severity ratings, and the requirements for performance measurements, reporting and contact forms. The plan itself should include the strategies and goals, the organization’s approach, metrics for measuring effectiveness, and the communication plan for disclosing incident information to both internal entities and external incident response service partners. Furthermore, organizations should routinely go through IR plans with their employees to ensure that they are ready when an actual cybersecurity event occurs. Preparing workforce personnel should include:
- Testing the incident response capability at an interval established by the organization; minimum is annually
- Assigning certain internal or outsourced personnel to be available 24/7
- Frequently training staff who are responsible for incident response activities
- Implementing an internal review process to update the incident response plan to address any recent industry or organizational changes
It’s impossible to come up with an effective cybersecurity response on the fly, which is why every organization, regardless of industry, should have a carefully designed, tried-and-tested IR plan.
The MSP role in incident response planning
Cybersecurity training
In order to have the security conversation with clients, MSPs must first verify that their own house is protected and that they are practicing what they preach. This means having an IR plan in place and making sure that all employees understand what it entails.
There are many free online resources, such as the ConnectWise IT Nation Secure MSP+ playbooks, that can be used to get everyone on the same page regarding incident response, from engineers to sales teams. As noted above, one of the most effective methods an MSP can use to identify potential problem areas in an IR plan is to conduct regular tests that mimic how they would respond during a real cybersecurity event.
Risk assessments
In keeping with the concept of walking the walk before talking the talk, MSPs should run a risk assessment on their own networks and systems to identify any security weaknesses that should be addressed immediately. After all, if proactive measures are taken to shore up cyber defenses before any vulnerabilities are exploited, the MSP’s response plan should not need to be used frequently.
Once an MSP is ready to begin offering cybersecurity services to clients, it’s a good idea to start an interested customer off by carrying out a strategic risk assessment of their own. This will help uncover potential cybersecurity risks such as:
- Network vulnerabilities
- Poor device management
- Data compliance problems
- Internal threats
- And more
An effective risk assessment should also include remediation recommendations that help the client understand what they need to do in order to fix problem areas and get their cybersecurity program back on track.
Security operations center (SOC)
As mentioned previously, cybersecurity is a 24/7 effort and most MSPs do not have the resources available to watch everything going on within the organization. An expertly-staffed SOC can offer round-the-clock protection to ensure that cyber threats are identified and handled as quickly as possible. In fact, our research found that building an internal SOC team costs an average of $2.3 million.
That’s why many MSPs have started using an outsourced 24/7 global SOC to get all the benefits of a full-time security operations center (SOC) at a much more affordable price. Just like an in-house SOC, these teams provide instant response and remediation, and their services and capabilities can help cover potential gaps when formulating an IR plan.