Infosecurity Europe
4-6 June 2024
ExCeL London

Four Vital Steps for Developing an Incident Response Strategy

While the mantra ‘prevention is the best cure’ is undoubtedly true in regard to defending against cyber-attacks, the sheer scale and sophistication of modern threats make breaches inevitable.

Infamous cyber events, such as the Equifax data breach in 2017, have demonstrated the potentially enormous time and costs of recovery to organisations following a breach. A poll published by Hiscox in 2022 found that a fifth of US and European businesses have nearly been rendered insolvent by a serious cyber-attack, with 87% viewing compromise as a bigger threat than economic downturn.

Incident response strategies are essential to enable organisations to execute damage control in the event of such an incident, limiting the damage caused and enabling quick recovery.

Here are four key steps for organizations to consider when developing an incident response strategy:

1. Account for Recent Trends

Several recent trends have made developing incident response plans more complex, meaning approaches must be adjusted to account for these new realities.

One of these is the shift to hybrid working. With workforces operating across multiple locations and geographies, effective communication and coordinating relevant employees is a bigger challenge than before. Additionally, undertaking incident response training and tabletop exercises is more difficult when people are less often in the office together.

Therefore, establishing processes and procedures that facilitate remote communication is essential.

Another aspect organisations need to contend with is the growing prevalence of supply chain attacks. For example, a report by Sonatype in 2022 found that software supply chain attacks, which aim to strike hundreds and even thousands of organisations via a single exploit, have soared by 742% since 2019.

Responding to these types of incidents is particularly challenging, as it involves working with third-party suppliers. Additionally, due to multiple organisations being impacted in the incident, it can take longer to get outside help.

As a result, organizations need to ensure they develop close communication and agreements with third parties to be able to respond to supply chain incidents efficiently. These include incident reporting clauses with such organizations and creating and testing responses with them.

2. Clarify All Relevant Parties

Responsibility for cyber incident management extends far beyond security teams. Several departments may be involved in the response, particularly when it comes to communicating the incident to the outside world. These include the company’s board and divisions like legal, communications and HR.

Writing for Infosecurity Magazine, Heath Renfrow, CISO at Conversant Group, said that a list of key incident response personnel should be set out in plans, allowing for fast access at the appropriate time. These should include relevant external actors, including any outside legal counsel, data forensics firms and cyber insurance panels.

David Gray, director, NTT Ltd. UK and Ireland, noted that the time to alert industry regulators or law enforcement should also be defined in the strategy, taking into account relevant legislation.

3. Continuous Training and Learning 

It is vital that incident response plans are continuously tested to ensure that they are implemented effectively in a real-life scenario. Sarah Armstrong-Smith, chief security advisor at Microsoft, has argued that incident response simulations should replicate real-world situations as closely as possible, something that is rarely done in organisations.

This can be achieved by simulating previous cyber incidents or near misses against that organisation.

Armstrong-Smith also highlighted the importance of reviewing past incidents to understand what went wrong, and where improvements should be made.

Refining incident response strategies based on past events was emphasised by Gray, who wrote for Infosecurity: “Every breach should provide an opportunity to learn and improve. IR plans should contain a formal debrief session, where lessons learned are gathered for further review and integration into the programme.”

4. Use Available Materials and Services

Governments and industry associations have provided numerous materials and services relating to incident response planning, and organisations are well advised to make the most of these.

Easy access checklists and guides have been made available by bodies such as the UK’s National Cyber Security Centre (NCSC), demonstrating the key aspects of an incident response plan to help ensure all ground is covered by companies.

In April 2023, accreditation body ISACA published a new quick reference document designed to help organisations manage ransomware incidents. Rob Clyde, board director at ISACA, explained: “It makes sure you follow the appropriate steps and don’t leave something out.”

There are also a number of certifications and qualifications that organisations and individuals can consider taking to boost their capabilities in this area. For example, the NCSC offers a Cyber Incident Response scheme. This is designed to give organisations who have networks of national significance assurance that members of the scheme meet the NCSC’s standard for high quality incident response.

Accreditation bodies, such as (ISC)2, offer certifications in incident management for cyber professionals, which can help security teams develop their plans in this area.


Cyber incident response has become increasingly complex for organisations in the face of fast-evolving and sophisticated attacks. Plans must be adapted in light of trends such as the shift to hybrid working and the growing prevalence of supply chain attacks. This necessitates continuous learning and training, with plans practiced and refined regularly.

It’s a major undertaking, but one that organisations cannot afford to neglect given the potentially crippling consequences of cyber incidents.

Enjoyed this article? Make sure to share it!

Looking for something else?