Skip to main content

5 Steps to Help Get Cyber Incident Response Right for Your Business

In the span of a few weeks in early 2020 the workplace world was turned on its head when millions of workers indefinitely shifted to a work-from-home environment resulting from the Covid-19 pandemic. 2020 was a significant year of change, which also included a significant increase in cyberattacks globally, including:

  • A 46% increase in suspicious Internet of Things (IoT) incidents in households in the first half of 2020.[1]
  • 60% of all Covid-19-themed received emails being deemed fraudulent in May and June 2020 alone.[2]
  • Global ransomware reports up more than 715% from 2019 to 2020[3] and payments up 60% since 2019.[4]

As a result, many organizations in 2020 adapted to new businesses processes and took a hard look at how they leveraged technology to continue business operations. The pivot in working arrangements has driven significant technological innovations, with 69% of corporate boards accelerating their digital initiatives in the wake of the Covid-19 disruption.[5]

As with any change in the business model, the new and heightened elements of cyber risk introduced during the pandemic must also be considered. It is vital that the C-suite, information security, information technology and other elements of the organization work together to review any incident response (IR) plan currently in place and ensure it is updated to reflect the pandemic-driven new world order.

The IR plan is a set of written instructions that outline the organization’s response to network events, security incidents and confirmed data breaches. Having an established IR strategy that encompasses people, processes and technology can mean the difference between successfully managing a crisis or losing the fight to ever-sophisticated threat actors.

Consider these five key steps to help optimize IR plan preparation and position the organization’s incident response readiness:


Establish an Incident Response Plan

In 2020 nearly nine of 10 (88%) companies reported having only “basic or initial” incident response capabilities[6] despite the continued rise in volume and scale of cyberattacks. This indicates insufficient planning and reflects the tendency some organizations have to follow informal, ad hoc processes and respond in a reactive, rather than a proactive, manner. Use this as a simple starting point: If your business doesn’t have an IR plan, consider key risks and develop one. A well-documented, standardized and repeatable incident response plan, outlining key roles and responsibilities, should be in place to enact when needed.


People, Process, Technology

An effective IR process should consider elements across the business and how they are either impacted or can be leveraged by the IR process. This includes people, processes and technology. Consider teams, capacity and expertise within your business: How are your people impacted and how can they help. Tooling can be critical for detection, prevention and response. Consider which tool is applicable for which use case and is it prepared to do the job. Processes and communication are an overarching theme. As with the other elements, making them consistent, repeatable and clear is key. Robust processes and methodologies can help organizations deal with incidents faster, more effectively and in a consistent manner.


Understand Your Risks

An IR plan should align to the organization’s wider security governance processes that support, define and direct security efforts. An important aspect of security governance is risk management -- identifying the key risk factors and scenarios of your business and then evaluating the strength of controls to protect against them. This can help businesses better understand the level of cyber risk and prioritization of mitigative and response measures.


Understand the Response Stages

Having a clear understanding of IR processes – who does what, when, how and why – is critical to obtain the efficient delivery and enablement of an IR plan. There are frameworks that provide guidance on the IR processes, such as NIST or SANS, as well as additional activities to help, including the development of incident categorization models and even technical playbooks. When an incident occurs, a structured incident response workflow will help drive a consistent and repeatable approach to incident management, and through regular improvement activities can enable a reduction in response time to resolve critical scenarios. IR plans, workflows and playbooks are a game-changer for incident response and are applicable across the entire security function.


Test, Review and Update

Any IR plan should be regularly assessed to consider how applicable it is to the current state of your business. A good way to evaluate that is to test, review and update prior to any potential crisis using cyber threat simulation exercises with relevant stakeholders, which can be delivered at regular intervals to assess the efficacy of your plan.


Incident Response Readiness is not Solely an IT Focus

An established cybersecurity incident response capability should be considered in the same way risk is: Constantly evolving and changing with your business. This requires collaboration across business functions, with careful planning and ongoing review. A mature IR process not only helps businesses respond when needed but can mean the difference between a major business impact -- or business as usual -- should a cyber event occur.



[3] Page 14

[4] Coveware Ransomware Marketplace Report, August 3, 2020


[6] 2020, CyQu, Aon’s Cyber Solutions

This document has been provided as an informational resource for Aon clients and business partners. It is intended to provide general guidance on potential exposures and is not intended to provide medical advice or address medical concerns or specific risk circumstances. Due to the dynamic nature of infectious diseases, Aon cannot be held liable for the guidance provided. We strongly encourage visitors to seek additional safety, medical and epidemiologic information from credible sources such as the Centers for Disease Control and Prevention and World Health Organization. As regards insurance coverage questions, whether coverage applies, or a policy will respond, to any risk or circumstance is subject to the specific terms and conditions of the policies and contracts at issue and underwriter determination.

While care has been taken in the production of this document and the information contained within it has been obtained from sources that Aon believes to be reliable, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the report or any part of it and can accept no liability for any loss incurred in anyway by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication.

All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.