In sports, playbooks provide plans of action. The same is true in cybersecurity. While companies can’t predict when or how attacks may happen, an up-to-date security playbook — also known as an incident response plan — helps IT teams implement a targeted response that minimizes total risk.
Yet, many companies don’t have an in-depth security playbook, opting instead for isolated responses that may offer short-term relief but don’t effectively target root causes. More than a third of midsized companies (36 percent) don’t have a formal incident response plan. And while most back up their data, more than half (58 percent) don’t test their backups daily.
Here’s a look at what companies need to include in a playbook, how to keep playbooks up to date and the importance of having a playbook in place ahead of a security incident.
DISCOVER: Find out how managed services can help support IT departments.
What to Include in a Cybersecurity Playbook
According to recent data, more than 72 percent of global firms have been targeted by ransomware in the past year. This ransomware doesn’t operate in isolation — it often starts with spam emails and malicious links that compromise staff accounts.
As a result, companies can’t afford to create security responses as events unfold. Instead, they need security playbooks that provide details about common threats and effective response tactics.
When an attacker strikes, a well-written security playbook includes details on:
- Who is responsible for what: Which staff members handle which tasks? This could include pinpointing attack vectors, identifying compromise points and isolating key systems.
- Who contacts whom: How do callouts happen when attacks occur? Playbooks should include a regularly updated callout chain to ensure the right people are contacted ASAP.
- What happens when a key person is not available: A staff member might be sick or on vacation, or might have left the company since the playbook was last updated. Playbooks need to include backup plans in the event a key person is not available.
- How specific incidents are handled: Playbooks should also describe how specific incidents such as stolen credentials, ransomware attacks or compromised endpoints are handled. This includes detection, identification and remediation.
Click the banner below and get to know our small business IT influencers of 2023.
How to Keep Your Cybersecurity Playbook Current
Just as threat actors constantly shift their tactics, incident response plans can’t be static. For example, cyberattackers recently used a fake Windows update to infect and compromise business and government devices. Security playbooks must adapt to address these new challenges.
Ideally, your playbook should be reviewed quarterly and updated annually to ensure current plays still address potential threats. In addition, companies should regularly conduct simulated attacks that test their playbooks’ efficacy.
And playbooks aren’t just for incident detection and response. Cybersecurity insurers may ask to see playbooks before providing coverage.
It’s also critical for companies to update response plans when they add new technologies. For example, the deployment of public cloud services to handle customer-facing applications introduces both new connections and new attack surfaces, requiring playbook updates.
The percentage of global firms targeted by ransomware in the past year.
Source: Statista, Cyber Crime and Security Report, 2023