Incident Response: A Guide to Planning, Steps and Roles

In an always-on, digital-first economy, organizations can ill afford the fallout from a cyberattack. Those that rely on ad hoc processes to respond to digital threats are left with slow, ineffective remediation. It’s estimated that a ransomware attack takes place every 11 seconds. Coupled with the average cost of a data breach reaching an all-time high of $4.24 million in 2021, the stakes have never been higher since even a minor security slip up has a major ripple effect across your organization and your customers. Therefore, it’s critical you prepare in advance for the inevitable.

This article sheds light on the incident response process to optimize your business continuity plan.

What is incident response?

Incident response (IR) is the methodology used to detect, contain and recover from an incident such as a cyberattack. It minimizes the direct and indirect costs like downtime, recovery costs and brand reputation.

Who handles incident response?

A computer incident response team (CIRT), aka cyber incident response team, manages the IR process. Gartner defines the CIRT as follows:

“The CIRT is responsible for responding to security breaches, viruses and other potentially catastrophic incidents in enterprises that face significant security risks. In addition to technical specialists capable of dealing with specific threats, it should include experts who can guide enterprise executives on appropriate communication in the wake of such incidents. The CIRT normally operates in conjunction with other enterprise groups, such as site security, public relations and disaster recovery teams.”

What is the purpose of incident response?

Lately, IR has taken center stage as cyberattacks increase in scale and frequency. Its popularity lies in the benefits offered:

  • Repairing cyber vulnerabilities efficiently

  • Restoring operations in a timely fashion to ensure business continuity

  • Minimizing financial and reputational losses

  • Improving security posture to avoid future attacks

What is incident response planning?

An incident response plan (IRP) is a set of instructions to help detect, respond and recover from cyberattacks, including, but not limited to, ransomware, business email compromise and data loss. There is instruction for each stage of the attack, which ensures businesses have the manpower and the structure to respond quickly to any threat.

The need for an incident response plan

Organizations of all sizes need to have a solid incident response plan in place. Here’s why:

Rapid response

Organizations acknowledge the importance of the incident response process. However, many lack a decent incident response plan. It takes an average of 197 days (and sometimes up to a year) for organizations to identify a breach, which leads to long periods of downtime. An IRP enables responders to take the necessary steps to counter an attack in the least amount of time.

Data protection by default

Backup files, privileged access and critical data in the wrong hands harm your business. An IRP leverages logs and security alerts to detect malicious activity and access management to avoid internal and external threats.

Reinforces reputation and revenue

The IDC found that 78% of consumers would take their business elsewhere if directly affected by a data breach. In other words, a breach affects consumer confidence and sales. An IRP demonstrates a brand’s commitment to security and privacy, making you a trustworthy brand.

What should an incident response plan include?

An incident that activates an IR plan also initiates the business continuity plan (BCP) for continuous business operations. Both incident handlers and BCP team leaders need timely and accurate information to take proper steps against an unanticipated event.

The following elements of incident management systems help in offering effective business continuity:

  • Plan statement: Gives directions on how personnel should respond to an attack.
  • Purpose: Outlines the scope of the plan by listing which systems or data are subject to the plan.
  • Definitions: Explains terms used in the incident response plan.
  • Incident response team: Lists names and contact details along with roles and responsibilities.
  • Plans of action and milestones: Minimize or mitigate risks and communicate your actions with other stakeholders.

The incident response team

The IR team is the first point of contact when a cyber incident occurs. The team is responsible for managing the incident and setting clear communication with internal and external stakeholders. The team should contain personnel from management, IT, legal, HR and public relations.

Incident Response Manager: Supervises and prioritizes actions during detection, containment and recovery from an incident.

CIRT Team: Offers specialized technical skills to provide the right advice and threat analysis.

Security Analysts: Supports and works directly with affected resources, implementing and maintaining technical and operational controls.

Threat Researchers: Provides threat intelligence and context around security incidents. They may use third-party tools to identify current and future threats.

Management: Brings top-level management buy-in, which is necessary for the provision of resources for incident response planning and execution.

Human Resources: HR is involved when it is a case of malicious insiders or employee error.

Audit and Risk Management Specialists: Develops threat metrics and vulnerability assessments while encouraging best practices across the organization.

Legal: Ensures any evidence collected maintains its forensic value if the company chooses to take legal action.

Public Relations: Enables communication with internal and external stakeholders.

What is the role of the incident response team?

The core responsibility of the IR team is:

  • Create and maintain an IR plan
  • Analyze the security incident
  • Manage internal communications and alerts whenever an incident occurs
  • Offer easy communication with stakeholders and the press whenever needed
  • Mitigate security incident
  • Create a summary report to document the incident and actions taken
  • Provide recommendations for improving the efficacy of the IR team

The incident response process: 6 steps to create an incident response plan

Improve your incident response with Unitrends

Unitrends provides a range of backup and disaster recovery (BCDR) solutions that allow businesses to detect, prevent and mitigate security threats.

Backup & Disaster Recovery

Unitrends offers protection for more than 250 versions of operating systems, hypervisors and applications. Whether your infrastructure is physical machines or virtual servers, you can protect your digital assets with Unitrends locally and also replicate copies of data to alternate media (disk, tape, cloud) for secondary and tertiary copies.

Disaster Recovery Testing

Unitrends Recovery Assurance helps automate testing for your DR runbook by spinning up backups in an isolated lab environment and testing against services and applications. Server performance and compliance tracking (RTO, RPO actuals) are reported to provide full visibility into what recovery looks like.

Disaster Recovery as a Service

In the event your data center goes down or you’re unable to reach it, failover invisibly into the Unitrends Cloud with Disaster Recovery as a Service (DRaaS). The Unitrends team does all the heavy lifting, which includes implementation, onboarding, failover and recovery of service, and failback to your local data center once operations are ready to be resumed.

Learn more about how Unitrends can help you with your data security needs. 


Discover how Unitrends can help protect your organization's sensitive data