Last Updated: July 2022
So, you know the right things to do. You have put the policies in place and trained everybody in the organization on all the best practices. Even with all this hard work, it is very likely that something will eventually go wrong. Stuff happens. When it does, it is essential to have an incident response plan in place. Incident response is a crucial, and often underrated, part of your organization’s security plan because it can be the difference between an attack destroying your organization’s reputation or being an unpleasant bump in the road.
Keep in mind that you can only respond to an incident if you know about it. Having a strong organizational security culture and encouraging staff to report problems is very important. This is why it is better to reward good security behavior rather than punish security lapses or mistakes. It is also important to express empathy and check on the wellbeing of staff when they report an incident. You want staff to immediately report a clicked link in a phishing message, a stolen phone, or a hacked social media account - not hesitate for fear of retribution or lack of support. After all, incident response, just like the mitigation strategies mentioned in other sections of the Handbook, is an organization-wide effort.
What should you plan for? In short, anything that is somewhat likely to happen. That will look different for every organization, but common questions that an incident response plan will help answer include:
- What do we do if our accounts or websites get hacked?
- What do we do if someone clicks on a phishing email or if a device is acting suspiciously?
- What do we do if our emails or most sensitive documents are stolen and leaked?
- What do we do if one of our employees is put in physical danger or arrested? Or if they are struggling with stress and anxiety due to such threats?
- What do we do if our office is damaged in a fire, flood, or natural disaster?
- What do we do if an employee’s computer or phone is lost or stolen?
The answers to these questions and others will differ by organization, but it is important to think through them together and clearly articulate and share a plan so that everyone in your organization is prepared to take action immediately to limit the damage.
Borrowing from Tactical Tech’s Holistic Security Guide, a good place to start with an incident response plan is defining an incident or an emergency in the context of your organization. Decide what an "emergency" is – i.e. the point at which we should begin to implement the actions and contingency measures planned. This is important as sometimes it will be unclear – if you imagine a scenario such as losing contact with a colleague on a field mission; how long would you wait before declaring an emergency? One does not want to jump too early, but waiting too long can in some circumstances be disastrous.
It is also important to think through any operations steps as well. Assign each person a clear role that they are aware of and have agreed to in advance – this will reduce disorganization and panic in the event of an incident. In the case of each threat, consider the different roles that you may have to assume and the practicalities involved in responding to an emergency. Within this important strategy for emergencies is the activation of a support network – a broad network of allies, which may include friends and family, community, local allies, government resources and national or international allies like NGOs and journalists. How can your allies support you? Should you contact them in advance to verify that they will be willing to help you in an emergency and let them know what you expect of them?
When responding to an incident, effective communications become increasingly important. Decide what the most secure and effective means of communicating with each actor is in different scenarios and identify a backup means too. Be aware that for emergencies, it might be useful to have clear guidelines on what to (and what not to) communicate, when to communicate, which channels to use to communicate, and with whom you should communicate. Also consider the reputational impact of an incident on your organization, and be prepared to respond accordingly. Make sure that the organization's communications lead (in some organizations this might just be whoever manages the Facebook page or the Twitter account) is aware of the incident and can watch social media or other media for potential impact. They should also be prepared to field possible public or media inquiries about an incident if relevant. This is especially important for getting ahead of any potential negative stories or reputational damage. While every incident and context is different, honest and transparent communications often help build trust in the aftermath of an incident.
Creating an Early Alert and Response System
Consider establishing an Early Alert and Response System. Such a system sounds fancy, but it is essentially just a centralised document (electronic or otherwise) to be opened in the event of an emergency. In the document, you should record all the details about the security indicators and incidents which have occurred on a timeline, provide a clear description of the actions and sequence for the planned response, and indicate what needs to be achieved to signify that the risk has once again decreased. It should also include actions to be taken after an incident in order to protect those involved from further harm and help them to recover physically and emotionally. An Early Alert and Response System can provide useful documentation for sharing with law enforcement (if applicable), subsequent analysis of what has happened, and guidance on how to improve your prevention tactics and responses to threats in the future.
In addition to these important incident response concepts, your organization should also prepare for any specific technical response. In some cases a technical response can be managed by internal IT staff or system administrators. For example, if an email account appears to have been hacked, your account administrator should be prepared and able to shut down or disable the impacted account. Some technical incidents, however, might require expertise that you do not have within your organization. For situations like these, it is important to identify a trusted list of external technical experts who can assist you in your incident response. In some cases, you may want to pre-negotiate terms with service providers (such as your website host or an IT consultant) to ensure that they are available (and would not charge extra) for such technical incident response.
Last but certainly not least, you should consider legal steps. Understanding the legal protections you might have, as well as the legal obligations or consequences your organization might face as a result of a data breach or other security incident, is important. A first step can be to identify trusted legal counsel that understands your country or locality’s specific laws and regulations. Take time to review possible incidents with relevant legal counsel if necessary, and make a plan for what you would do in response. It is a good idea to make an agreement with this trusted counsel to represent you and your interests if needed in the aftermath of an incident. As part of this legal preparation, make sure that you understand the legal obligations of any vendors or partners. Are they required to notify you in the case of their own data breach? What support (if any) are they required to provide you in the case of an incident? As you develop contracts and agreements with external vendors, keep the possibility of a data breach or other incident in mind.
While there is no one-size fits all approach to incident response, having clear operational, communications, technical, and legal plans in place is essential. As you put together your incident response plan, we strongly encourage you to make use of some excellent existing resources, designed to help civil society organizations and other high-risk groups navigate incident response. These resources include the Digital First Aid Kit developed by RaReNet and CiviCERT, PEN America’s Online Harassment Field Manual, the Belfer Center’s Cybersecurity Campaign Playbook and Cyber Incident Communications Plan Template, and Access Now’s Digital Security Helpline.
- Develop an organizational incident response plan, and practice it.
- Brainstorm possible incidents and prepare for your response before it happens.
- Ensure everyone in the organization is aware of how you will communicate and what technical steps will be taken in the case of an incident.
- Take time to understand your legal protections and obligations.
- Be prepared to provide organizational staff the emotional and social support they need in the aftermath of an incident.