A Comprehensive Guide for SMB Leaders on Incident Response Planning

Who is this blog for?

This blog is for SMB leaders looking for guidance on how they can take a proactive stance to improving the cyber security posture of their business. The article provides insight into the threat landscape in the UK and the crucial role incident response (IR) planning plays in mitigating those threats.

Incident response planning gives organisations an iterative framework for mitigating threats quickly and effectively. Widely used by enterprise-level organisations, this is a strategy that SMBs can also deploy to minimise risk. The blog also offers guidance on how businesses can build a robust set of IR policies and documentation.

Read time: 8 minutes 15 seconds

—

Over the last decade, one of the most persistent trends in cyber security has been that bad actors have increasingly targeted small-to-medium-sized businesses (SMBs). According to the Department for Science, Innovation & Technology, in its cyber security breaches survey, over one-third of all companies in the UK recalled a cyber security breach or attack between 2022 and 2023.

Sadly, the landscape of cyber crime is thriving like no other industry – evidence suggests that technology is shrinking the skill gap for cyber criminals and making it easier to launch attacks at an unprecedented frequency. According to Babble’s IT Security & Compliance Manager, Dan Davies, these developments put businesses at the smaller end of the market at greater risk.

“There has always been a common trend with small businesses and security with organisations thinking that they won’t be a target because they are small. While it is true that small businesses aren’t necessarily the most targeted, attacks can spread quickly when they do happen. For example, a supply chain compromise could result in businesses on the other side of the world from a direct target being impacted.”

Dan Davies, IT Security & Compliance Manager at Babble

Meanwhile, qualitative evidence gathered by the DSIT suggests that broader economic uncertainty is driving cyber security down the priority lists of micro businesses and SMBs (Department for Science, 2023). This trend, if true, is sure to make these smaller organisations an even bigger target for bad actors. So, what should businesses be doing to protect themselves?

Incident Response Planning for SMBs

One of the most significant growth opportunities for SMBs is incident response planning. But surveys suggest that it is still an under-prioritised area for most businesses.

“While a large majority of organisations say that they will take several actions following a cyber incident, in reality, a minority have agreed processes already in place to support this… Formal incident response plans are not widespread (21% of businesses and 16% of charities have them). This rises to 47% of medium-sized businesses, 64% of large businesses and 38% of high-income charities.”

– Department for Science, Innovation and Technology (DSIT), Cyber security breaches survey 2023.

Bigger companies seem to have more time and resources for operations like scenario planning. In contrast, companies on the smaller end of the spectrum are preoccupied with keeping the lights on. However, the statistics laid out by the DSIT make it clear that incident response planning isn’t just for large enterprises.

Emerging Threats

While the relative importance of cyber security appears to be declining among small businesses, threats targeting small businesses are growing. Not only are bad actors increasingly targeting SMBs because they don’t prioritise security, but technological advancements lowering the cost and complexity of launching cyber-attacks is leading to bad actors targeting businesses indiscriminately.

“State-sponsored bad actors and larger criminal organisations have vast resources at their disposal, allowing them to launch low-cost, wide-spread attack campaigns,” says Dan Davies. “Scanners and automation allow bad actors to identify the low-hanging fruit, and launch large attack campaigns against all vulnerable targets – whether they are small businesses or large enterprises.”

The growing market for ‘off the shelf’ tools for cyber crime and organisations offering Ransomware as a Service is another trend putting businesses at an elevated risk. There are also emerging accounts of people overcoming the guardrails on Generative AI tools like ChatGPT, prompting them to generate malicious code. In short, the skills gap for cyber crime is shrinking rapidly.

The Breach Lifecycle

One of the most common forms of cyber-attack is the business email compromise (BEC), which aims to grant bad actors access to a company’s network and move laterally. A cyber security breach originating from a business email compromise may play out like this:

2:03 PM – Phishing Email Received

A legitimate employee receives an email from one of the organisation’s third-party vendors. The email urges the employee to log into the vendor portal and address an outstanding issue/task. The employee does not notice that the sender’s address is not legitimate but was made to look like it has come from the vendor.

2:34 PM – Malicious Link Clicked

The employee clicks the link, which takes them to a website that closely resembles the vendor portal. They enter their login credentials, but access is not granted.

3:46 PM – First Suspicious Login Attempt

The IT administrator receives the first alert of a login attempt from an unrecognised location. This is the first sign that a business email compromise has taken place.

4:32 PM – IT Administrators Alert Security Function

As more and more alerts come in, the organisation’s IT administrator realises that an active cyber security breach is underway. IT reports the activity to the security team.

4:59 – The Security Team Confirms the Breach

More than two hours after the initial point of entry, the organisation’s security team confirms the incident. It informs the rest of the organisation that a cyber-attack is in progress.

8:12 PM – Attack Scope Outstrips Security Team Capabilities

The attack has moved laterally within the organisation, allowing the bad actors to implement denial of service tactics. Corporate systems become inaccessible, and the security team loses its ability to monitor or contain the threat.

11:43 PM – The Cyber-Attack Spreads

Reports of suspicious emails start coming in from third-party vendors and suppliers – evidence that the business email compromise has spread to the supply chain.

The Next Morning…

Reports from employees within the organisation and the organisation’s vendors and suppliers have appeared on social media. Soon after, the headlines begin appearing, pointing to the organisation as the source of a large-scale cyber attack.

How Should a Cyber-Attack Play Out?

Businesses must have a formal, tested incident response plan. Every cyber-attack has distinctive stages; every stage is an opportunity to contain and remediate the threat. In a perfect world, cyber-attacks would be spotted and contained within minutes. But even if a threat isn’t eliminated at the first stage, businesses can save themselves thousands of pounds by developing their ability to respond to cyber incidents appropriately.

The Importance of Incident Response

In the UK, less than a third of businesses of all sizes have a formal IR plan – only 21% of small businesses and 47% of medium businesses – even though more than 50% of all businesses and charities surveyed by the government recalled a breach or attack of any kind (Department for Science, 2023). A study carried out by the Hiscox Group in 2017/18 outlined the potential financial impact of a cyber security breach for small businesses…

In the UK, the average cost of a cyber-attack is £15,300 (Department for Science, 2023).
The average cleanup costs (paying ransoms, hardware replacement, etc.) for a small business is £25,700 (Hiscox Group, 2018).
The potential regulatory fines for a major data breach can equal up to 4% of a business’s annual turnover (Data Protection Act, 2018)

Furthermore, it was ascertained by Hiscox that a small UK business is successfully breached every 19 seconds. With the frequency of attacks growing, and the severe financial impact, there should be no doubt in the minds of SMB leaders that they need robust, standardised security procedures.

Building an Incident Response Plans that Works

Every business should have clearly defined incident response guidelines. Incident response documentation can be divided into three key categories: Policies, Plans and Playbooks

An Incident Response Policy should be a high-level document outlining all the core information your business needs about incident response. Among other things, this includes:

Key terms and definitions.
Why incident response is necessary.
Who the policy applies to.
Who is responsible for enforcing the policy.
What requirements must be met by the IR team and the wider organisation.

Unlike your policy, your Incident Response Plan should be a living document. The Incident Response Plan should be reviewed after every major incident an organisation experiences, or every six months if no incident occurs. Your Incident Response Plan should outline the following information:

The Mission Statement
Goals & objectives
Scope of the plan
Roles and responsibilities
Contact information for each IR team member
Internal and external communication procedures
Incident severity levels
Incident types – including definitions.
The incident response lifecycle

Unlike the previous two documents, you can have as many Incident Response Playbooks as is necessary. Whilst the Incident Response Plan provides high-level guidance that applies to all incident types, an Incident Response Playbook offers detailed guidance on one specific incident type. So, an organisation might have a Ransomware Playbook, a Denial-of-Service Playbook, and many others.

The Cyber Kill Chain

Finding a reliable framework is an organisation’s best first step when building out its Incident Response Plan.

Developed by Lockheed Martin, the Cyber Kill Chain is one framework organisations can use. According to the Cyber Kill Chain, all modern cyber-attacks play out in roughly the same steps:

Stage 1: Infiltration

Reconnaissance
Point of Entry – Note: This is the earliest state at which the organisation can spot the attack.

Stage 2: Exploration

Escalation of Privileges
Lateral Movement

Stage 3: Execution

Command and Control
Actions on Objectives

An in-depth understanding of this framework (or a helpful variation thereof) can help organisations implement safeguards that help slow down the progression of an attack. For example, enforcing Zero Trust limits lateral movement opportunities and mitigates attacks at the exploration phase. However, having an effective IR plan can mitigate threats even earlier in the kill chain.

Alert Fatigue

In our scenario above, it took the IT administrator nearly 45 minutes to realise that a cyber security breach was in progress. A common issue for IT departments is alert fatigue. With so many systems and platforms communicating within an organisation’s network, it is common for admins to become desensitised to the number of alerts they receive on a daily – or even hourly – basis.

Alert fatigue might make it more difficult for organisations to contain active cyber-attacks due to missed alerts, slow response times (due to overwhelmed admins), and even admin burnout. Organisations can take measures to reduce alert fatigue:

Alert Priorities – A system for prioritising alerts can ensure nothing slips through the cracks. For example, low-priority alerts can be handled by IT admins, while high-priority alerts can go straight to the security team, or the incident response team.

Eliminate Redundant Alerts – Combining point products into a company network may lead to duplicate alerts. Eliminating these duplicates will give IT admins a much clearer picture of the network.

Actionable Alerts – If admins are overwhelmed with alerts that do not have actionable first steps, it’s no wonder cyber-attacks are able to slip past. Make sure every alert has a logical action attached to it.

AI and Automation

Security AI and automation may be helpful for organisations struggling with IRP challenges like alert fatigue and staffing. According to IBM’s 2023 Security Report, there is evidence to suggest that security automation and AI could reduce the average cyber security breach lifecycle by as much as 108 days (IBM, 2023).

The potential benefits of AI and Machine Learning (ML) for incident response planning are diverse. For example, it would make analysing large volumes of data coming in from the various sources in a network much easier – it may also help with filtering out false positives. Post-incident analysis is another area that AI and ML can help. An incident response plan must be reviewed after an event, and the insights that AI and ML can extract from the data would be essential.

AI can also help with automating incident response activities, such as blocking malicious traffic, quarantining devices, and restoring backups.

Closing the Gap Between IT & Security and the Wider Organisation

“Qualitative findings suggest another area for potential improvement is the relative disconnect between IT or specialist cyber teams and wider staff (including management boards) when it comes to incident response.”

UK Government, DSIT, Cyber security breaches survey 2023.

Businesses must stop looking at IT and security as a cost and consider it an area for investment. The tendency to view IT and cyber security as a fringe function in business – an already highly outdated idea – may be one of the reasons why they are vulnerable to the chopping block when businesses look for ways to save money.

“Qualitative data suggests the impetus to develop strategies can come from management board pressure, audits, and business acquisition. It can also coincide with cyber teams gaining operational independence, for example from IT departments.”

UK Government, DSIT, Cyber security breaches survey 2023.

Some good news is that the board is starting to take notice. A recent report from Mimecast noted that business leaders are more concerned about data security than any other business pressure (Mimecast, 2023).

Conclusions

Modern cyber security is not a cost centre, but an investment centre. In today’s business landscape, cyber security is that invisible factor that will save you thousands by mitigating security risks.

When investors, customers, the media, and auditors ask about an incident, a business with an incident response plan can point to its records and prove that it acted responsibly and thoroughly in an attack. Furthermore, an IR plan can shorten the window of opportunity for attackers, by ensuring responders understand the steps they must take and have the tools and authority to do so.

So, our advice is quite simple: Invest the time now. Develop an incident response plan before the inevitable happens, and rest easy with the knowledge that your business has a reliable, effective framework to minimise the impact of a cyber-attack.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.