Latest News

Searches for insurance cover reach their highest levels just after a major storm or natural disaster. That’s just how our brains work. We are never more focussed on risk than after we’ve just experienced a negative event. 

But when a negative event occurs for a business it can be a great comfort to have a ‘response playbook’ in a drawer or saved in a secure location to pull out and start applying. 

The ‘playbook’ approach is used in organisations from natural disaster response, critical surgery and the armed forces. For your business, a playbook that responds to a cyber security incident could help reduce stress, get the business back on its feet faster and retain trust and relationships with trusted suppliers, partners and customers. 

In the rest of this article we’ll go through some of the building blocks of having an effective cyber security response playbook.

What is an incident response playbook? 

Trigger Event A leads to Action A. At its simplest, that’s all an incident response playbook is. It lays out in detail the response required when a certain event occurs. You’re likely already very familiar with versions of this structured response if you’ve been involved in an emergency evacuation or a practice run for one. 

The principle is based on the fact that the correct actions are most likely to be identified before an event occurs, as a result of planning and consulting experts, rather than after an event occurs.

What are the steps in creating an incident response playbook?

There are some key ideas to understand when it comes to building an effective incident response playbook.

1. Identify the events - The first task is to identify the trigger event or events that will trigger the use of your playbook. For cyber security this could include a malware attack or the loss of business critical data.
2. Identify your legal obligations - Some businesses have legal requirements imposed on them by regulators and governments in the event of data breaches or hacks. Check all relevant state and federal laws to see which of these apply to you and incorporate them in the next steps. You may also have contractual obligations to service providers to notify them of particular cyber security incidents.
3. Identify your options - This is akin to a ‘brainstorming’ step. Your job here is to identify all of the possible options you could choose in response to the trigger event or events from step one. This may include actions that you may not believe are likely to be chosen, but this step is all about collating every possible mitigating action in one place for discussion and feedback.
4. Segment your actions - This step takes the options in step two and narrows them down to the most important. This process requires you to balance between the resources you have and the actions you want to take. There will be some actions that are absolutely non-negotiable and others that are ‘nice to have’ but that may not be cost or time effective. Tag the most important actions as ‘critical actions’ or ‘non-negotiable responses’ to highlight their importance. Take all the remaining options and note them as ‘optional actions’ or ‘secondary actions’ that can be utilised if needed.
5. End state - This is the end point of your incident response playbook and signifies that all critical actions have been taken and follow up actions completed. A checklist and monitoring and maintenance plan are both useful elements to include to document this step.

What makes a good security response playbook?

A good cyber response playbook is about two things: high quality advance planning and tailoring.

An average cyber response playbook is put together as a ‘check the box’ exercise and is general and generic.

In contrast, a high-quality cyber response playbook is carefully planned and collated. It involves input from all key decision makers in the business including those with responsibility for the data and business functions that might be affected by a cyber security incident. It also might utilise input from industry experts or others with experience in cyber security matters to inform the content.

Tailoring is also critical. Each industry and business has specific requirements. Tailoring also includes regular reviews of the playbook so that reviews are conducted at regular intervals, and to ensure that key contacts are updated regularly including when key staff leave or when key external service providers change.

What are some common incident response playbooks?

A cyber security incident response playbook is an ‘umbrella’ term that can include a range of events. The best quality playbooks contain tailored response plans for the different cyber security events most likely to affect Australian businesses. These include incident response playbooks for:

• ransomware and malware attacks
• data breaches (accidental and malicious)
• phishing
• unauthorised access (due to external intrusions and also internal misuse or fraud)

Does my business need a cyber incident response playbook?

Like any emergency plan, an incident response playbook is something that is put in place in the hope it never has to be used. But it’s a simple fact that cyber security is becoming an increasingly common concern for Australian businesses of all sizes and their customers.

Having an incident response playbook in place ensures that if and when a cyber security event happens, its impact on your business, and on the mental stress and wellbeing of all that work on it are minimised as much as possible with access to a clear, structured plan that was prepared well in advance. As cyber security experts, CyberUnlocked can provide you with business-specific advice on setting up an effective, high quality incident response playbook.