Stay Ahead of Security Threats with a 7-Step Incident Response Plan

min read

Given today's security landscape, it's likely that your college or university will be targeted by a cyberattack at some point. How you plan and respond to security incidents can make the difference between a crisis and an event that makes your team stronger.

A cybersecurity incident response plan builds on your overall information security program by establishing a set of response tactics and tools to ensure that when an attack does happen, you have the people, processes, and technologies in place to respond effectively. In the event of an attack, time is of the essence, and being able to respond to both the attack itself and the people impacted are key strategies for mitigating the damage in cost and reputation to your institution.

Your cybersecurity incident response plan should include these seven main components, which I'll describe in more detail:

  1. Ensure that you have an IT security business continuity plan describing how you will access and restore data and systems after a breach.
  2. Develop a communications plan that helps you talk to faculty, staff, students, and parents in the event of a breach.
  3. Incorporate cyberrisk insurance and liability language in contracts with outsourced service providers.
  4. Provide ongoing cybersecurity education.
  5. Explain how to restore files from backup.
  6. Learn how to find and respond to an attack.
  7. Practice, practice, practice your incident response plan.

1. Address IT Security in Your Business Continuity Plan

While business continuity planning goes well beyond information security, it's one of the most important elements needed to run your campus operations. One of the first steps is to analyze your current security posture by answering the question of how you'd keep your operations running if all of your data were suddenly unavailable and what you would do if a cyberattack hit during a busy time, such as the beginning of the semester or graduation week. Today, one of the most common cybersecurity risks to your college or university is a ransomware attack. Three steps you need to take to prepare for a ransomware attack include identifying files and systems critical to your business, backing up these files every day, and testing the restore process at least once a month.

2. Develop a Stakeholder Communications Plan

There may come a day when you'll need to talk to your faculty, staff, students and parents about a security breach. Having a plan in place in advance ensures you won't be doing this on the fly when your institution is reeling from the attack you just suffered.

Your strategy should include a step-by-step notification plan in the event that your institution is not operating as usual due to a cyberattack. Your college or university may be required by law to provide notice to affected individuals following a data breach.

The communications plan should also include draft messages you can send to your employees, students, parents, alumni, or other affected community members in the event of a data breach or ransomware attack; a draft press release you can use to notify the media; and a media engagement plan. Honesty and transparency are always the best policy. Being prepared in advance to answer to various parties who will need to be "in the know" is the key to handling these situations appropriately and strategically. Otherwise, you'll find yourself scrambling not only to clean up the breach or attack but also to determine how to inform your key stakeholders in a very tight and stressful time.

3. Protect Your Institution with Cyberrisk Insurance

If your institution is the victim of a cyberattack, this may be a source of financial liability for you. Increasingly, colleges and universities are maintaining cyberliability insurance, according to a 2015 member survey from the University Risk Management and Insurance Association (URMIA). In addition to securing for cyberliability risk, the reasons most often stated for carrying this insurance were because it: 1) covers the expense of data breach notification and credit monitoring; 2) affords assistance with complying with notification laws for multiple jurisdictions; 3) provides a data breach coach to help coordinate response; and 4) provides access to data forensics services.

It's important to understand your risks and what your insurance will and will not cover. Some exposures can be transferred contractually, such as if your institution is outsourcing services. For example, if your outsourced payroll services provider holds sensitive student and employee data that's not encrypted and there is a breach, what is your liability according to your contract with that vendor, and does your insurance cover that? You should lay out exactly what your insurance covers so that in the event of a breach, it's clear what you're responsible for and can predict costs and repercussions in a worst-case scenario.

It's also a good idea to validate yearly how your cyberinsurance policy covers you from new threats. Over the course of time, threats and vulnerabilities will evolve, so be sure you're continuously protected against the latest and most pertinent security issues by conducting a yearly review of your insurance policy.

4. Implement Employee Cybersecurity Education

How many of your staff and faculty would click on a targeted phishing e-mail? Or if a cybercriminal stole their password, what information would they have access to? Keeping the people side of the security equation strong requires that everyone in your organization has an awareness of cybersecurity. If employees aren't educated about what to do and what not to do when it comes to security, they may never know the dangers of using bad passwords, clicking on malicious links, or logging on to unsecured public Wi-Fi networks. Employees should be properly trained on security when they first come on board and should also receive regular training at least annually.

Your employee security orientation program should include:

  • An overview of your institution's security policies and processes
  • Demonstrations of security tools they'll be using, such as two-factor authentication, a virtual private network (VPN), and a password manager
  • A mock scenario demonstrating how to spot common security threats, such as a phishing attack, and how to respond
  • A rundown of the people within the company they contact when they suspect a potential security issue (e.g., your IT manager or information security officer)
  • A quiz to test their knowledge after the training session

The goal of your ongoing security education should be to develop a curriculum that educates employees about common security threats and keeps security top of mind by way of regular education and awareness activities. Training can be conducted over brown-bag lunches, through interactive demonstrations, and by regularly quizzing employees about best practices.

Some training materials to equip your team with include:

  • Role-based guidelines (e.g., what each team needs to know about security)
  • A library of content they can reference (e.g., a wiki) for various security scenarios such as detecting phishing scams, using a VPN, or managing passwords
  • A special chat channel (e.g., #security on Slack or a dedicated and regularly monitored e-mail address) for employees to report suspected security issues and ask questions
  • Companies like KnowBe4 and Securecast offer tools and services (free and paid), which can be a great help in educating users

5. Restore Files from Backup

If a security incident does occur, you'll need to be prepared to restore trusted files from backup. The key is to perform regular and redundant backups of all your critical data and systems. Regular means that it happens frequently — we recommend at least daily, more for some data — and redundant means that it is stored in more than one place. Generally, the rule of thumb is 3-2-1: three copies, stored in at least two places, one of them off-site. Cloud-based backups are a good way to satisfy the off-site requirement.

Popular backup services to consider include Veeam (they offer free software for endpoints), Datto, or Carbonite. Be sure to look at the price points for the amount of data you have now while also considering what your future data storage needs might look like.

You'll need to test on a quarterly basis whether your backups are functioning, as well as whenever there is a major change to your hardware or software. You should also set up an alert in the event that they stop working for some reason (e.g., run out of storage).

Ideally, your test should replicate the conditions of a real incident and restoration process. You should do a complete restore of all data to a secondary system that has an identical configuration to your primary one. If this isn't possible, test as much of the backup as you can in this way. The closer you can get to real-world conditions, the more sure you can be that things are functioning properly.

6. Learn How to Find and Respond to an Attack

To respond effectively to an attack, you'll need to know who the victims are, and from there you can determine what damage has been done. You may want to engage your managed service provider or incident response contractor, or seek one out. You'll want to identify the persons affected and their devices, using the indicators you are provided by the organization that found the infection, if applicable. Note what part of the organization the attack targeted and how it impacts your overall operations, and provide the victim or victims with an alternate place and device to work from while the intrusion is being investigated.

With ransomware, it's important to find patient zero. There are a couple of tools that can help with this. One that is simple to setup, but more manual to operate, is canarytokens. What these do is alert you when a "canary" file (one that should never be used on a network share) is accessed. This will send you an alert when ransomware encrypts the file. The user that did the encryption is your culprit. You can also use network indicators to track ransomware and distribution. By redirecting the "command and control" domains of the ransomware, you can identify which system is infected and, in certain cases, the user who attempted to execute the ransomware.

When you are a victim of a targeted attack, you'll normally be hunting for indicators of compromise. These may come from the government, an information sharing and analysis center (e.g., REN-ISAC), a friend in industry, or a peer institution. Ensure that your security solutions allow you to effectively hunt for file hashes, registry keys, and domains the malware is using to phone home. The better you are at turning indicators into action, the better you will be able to find and respond to an attack.

7. Practice Your Incident Response Plan

Once you have identified the common and unique threats to your organization, and have an incident response plan in place that addresses each of them, it's time to test it out. Never create a plan and process in a vacuum — while it may look good on paper, it may not work in real life. To put the plan to the test, try it.

Here are the various things to test during a mock scenario:

  • Do you have tools in place to detect all common types of attacks?
  • Do you have a way of being alerted of an attack in real time?
  • Do you have tools in place to help remove malicious code if an attack is successful?
  • Do you have a way of restoring data or systems impacted by an attack?
  • Do employees know the key signs of an attack and have a way to easily report it?
  • Do you know how to conduct an effective postmortem meeting to discuss the issue and lessons learned within the organization?

There are many tools out there to run test scenarios like this, such as the SANS Institute's phishing training tool. This allows you to roll out a test attack to targeted members of your team (in this case, your IT or security team, but you can also test your entire organization during ongoing training). This way, you can run through your process and measure its effectiveness before a real one occurs.

By running this test, you should be able to see where there are any gaps or inefficiencies in your process so you can tweak it to be more effective. Then, run the test again to be sure the revised process works. This may require a few iterations, which is recommended. It's also a good idea to have someone who did not create the process follow it line-by-line in a mock scenario to be sure it's clear to anyone.


Due to the vast amount of personal information in your possession and the open nature of the higher education online learning environment, your college or university is a likely target for a security breach. Developing a comprehensive incident response plan [] is a critical investment that can go a long way in helping you respond effectively and mitigate the impact of the next cyberattack.

Todd O'Boyle is the CTO and co-founder of Strongarm. Prior to Strongarm, Todd spent 15 years at the MITRE Corporation, providing technical support to the Department of Defense and the intelligence community. He also served as principal investigator for a project developing methods to improve how operators respond to adversaries. Got any feedback for me? Reach out to [email protected].

© 2017 Todd O'Boyle. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.