Building a Strong Incident Response Readiness Plan
By Harish Kumar GS, Head of Sales, India and SAARC, Check Point Software Technologies
In today’s digital landscape, threats are no longer just hypothetical—they’re real, pervasive, and growing. Businesses are facing a relentless wave of cyberattacks, from ransom demands and data destruction to intellectual property theft and extortion, all of which carry severe consequences. Waiting until a breach occurs can be devastating; instead, proactive steps like strengthening defenses, securing critical assets, implementing monitoring systems, and collaborating with trusted authorities are essential to prevent becoming the next target. Much like safeguarding a home, businesses must prioritize their security to protect what matters most.
Cybercriminals’ actions have a significant financial impact, often costing organizations millions of dollars, with the damage becoming increasingly severe. For example, the global average cost for a data breach in 2024 was around 4.88 M USD, an increase of 10% year over year {IBM Breach Report 2024}. Check Point’s latest Threat Intelligence Report reveals that organizations in India face an average of 3,244 cyberattacks per week over the past six months, significantly higher than the global average of 1,657 attacks per organization. Additionally, a separate report highlights that the average cost of a data breach in India reached a record Rs 19.5 crore or USD 2.35 million in the first half of 2024, marking a 9% increase from the previous year and a staggering 39% rise since 2020.
Although some cyber incidents may be unavoidable (e.g. zero-day attacks), others are predictable and could be avoided or significantly reduced with proper measures. These measures can be referred to as Incident Response (IR) Readiness.
IR Readiness is a set of periodic processes, procedures, and technologies that help an organization’s personnel proactively and systematically think about likely security incidents, prepare to detect and respond to them at their initial stage, and minimize any damage and cost for confirmed incidents. A good IR readiness prepares the organization to respond to incidents while at the same time increasing its security profile and maturity.
IR Readiness Journey
Cyber threats and incidents are here to stay, and criminals are ever evolving with complex tactics and techniques, so every organization must prepare to respond to those threats. This preparation can be accomplished through an IR Readiness Journey. Although steps can differ depending on each organization’s level of maturity, the section below gives a blueprint for that journey.
The overview of such IR Readiness Journey in the rest of this article is a guideline from the Check Point Incident Response Team, informed by their vast experience in not only responding to active incidents but also in their work assisting organizations prepare to respond, as well as other best practices as seen by the Cyber security industry and other expert-led organization such as the National Institute of Standards and Technology (NIST) and the CISA.
The Check Point Incident Response Team recommends that these IR Readiness steps be completed sequentially and revisited periodically to account for changes in the organization, cyber threat landscape, and new cyber defense knowledge and practices
1- Asset Tracking/Management:
Simply put, you can’t protect what you don’t know you own—a fundamental truth recognized by most cyber security professionals. However, many organizations still remain unaware of their critical assets, maintain supposedly inactive assets that still have access to their environments, and expose internal resources to public access. This is further complicated by companies’ policies, such as poorly executed Bring Your Own Device (BYOD) policies, that grant access to companies’ resources to outside assets without accounting for them.
Asset tracking can be implemented using both free and paid systems, supported by internal policies, proper training, and company-wide commitment.
For any organization looking to identify where to start or evaluate gaps in their current asset management practices, resources like the National Institute of Standard and Technology SP1800-5 guideline provide an excellent starting point.
2- Framework Adoption
Once an organization has a better understanding of its’ assets, it is worth discussing and adopting a unified cyber security framework.
Adopting a specific framework helps simplify the roadmap to a secure environment through industry best practices. It serves as a guideline towards a specific standard that focalizes security operations and can also serve as a precise internal benchmark.
For starters, NIST’s Cyber Security Framework, commonly referred to as CSF, can be a good starting point for any company looking to standardize its Cyber security policies, processes, and procedures. There are other similar regional or industry-specific frameworks, but most are based or heavily influenced by the CSF.
3- Assets protection/Deployment-Detection-Response
After adopting a unified cyber framework, the next crucial step is to adopt processes, procedures, and technologies to help monitor and detect any known incoming threat. For example, in 2023, only 33% of breaches were detected as part of a concerted effort by security teams and tools; the remaining detections were simply due to luck and attackers’ self-disclosure for financial and other malicious motives {IBM Breach Report 2023}.
At a minimum, organizations should deploy Endpoint Detection and Response (EDR) solutions to all critical assets, with the goal of extending coverage to all devices and network exit nodesOnce all assets are covered, ensure they are properly configured and continuously monitored by a trained team prepared to respond to the earliest signs of an attack. This can be managed by internal teams or through dedicated external Managed Detection and Response (MDR) services.
4- Patch and Vulnerability Management
If not regularly updated and upgraded, any system or protection measures will eventually present vulnerabilities that threat actors can exploit and gain access to the organization’s assets. Each company should adopt a patching system that tracks newly discovered vulnerabilities and patches them as soon as possible. The patching system should consider not only available updates and upgrades but also the severity of any known exploits and their potential impact on the organization and its assets.
5- Incident Response Planning
The organization’s IR response should be in a documented and dynamic Incident Response Plan (IRP). The IRP should not only be documented but also approved by the highest level of the organization. Through the creation and documentation of the IRP, the organization should establish Response Team(s) and identify major stakeholders; establish and review existing third-party contacts and arrangements for IR external support teams; put together response Toolkits, response templates, cyber insurance, and other mitigation steps.
A well-crafted IRP should be straightforward, efficient, and reflect not only the organization’s environment and needs but also be the main guide in responding to real-time incidents.
6- Training
The best asset to an organization is people. People working with technologies, sound processes, and procedures are the key to an incident being a minor event or a full-blown catastrophe. As such, all the people who work for an organization must be trained to become assets and not liabilities regarding security. All the training should be tailored to people’s roles and responsibilities, periodic, and realistic. The training can include Cyber Awareness training, phishing and other common threats awareness, and complex ones such as IR Response drills.
7- Audit and Test of Security Measures
Once the above-cited measures are implemented, it is important that all assets are reviewed on a periodic basis, protection measures are assessed by internal teams and tested by external teams, and the incident response plan and playbook are run through in simulated incidents (Tabletop exercises). All lessons learned, and any gaps discovered should then be reviewed to improve the security measures.
Proactively implementing the above steps can be challenging and costly, particularly for an already stretched cyber security workforce.
However, when weighed against the potential financial losses, reputational damage, and recovery expenses, Incident Response Readiness offers a strong return on investment, making it a bargain compared to the costs of responding reactively to actual incidents.