Skip to main content
Opens in a new tab External site

December 2022 / 5 Min Read

Use These 5 Steps to Help Get Your Cyber Incident Response Right


It’s a critical step in any risk management strategy to make sure the cyber incident response plan is current -- or get one established.


Key Takeaways

  1. Cyber security is at the top of organizational risk management concerns
  2. Making certain the organization’s cyber incident response plan is current is critical.
  3. These five steps will help optimize IR plan preparation and position the organization’s incident response readiness.

Cyber security has risen to the top of organizational risk concerns, and for good reason. Ransomware attacks were up 105% in 2021 and an eye-popping 323% since 2019.1 Twenty ransomware attacks are attempted every second. No business is immune.2

It’s no wonder that global business leaders are calling cyber attacks an epidemic and expect cyber attacks to remain their top risk threat for the coming years.3 As a result it is a critical step in any organization’s risk management strategy to make sure its cyber incident response plan (IR) is current -- or get one established if it is not in place.

The C-suite, information security, information technology and other elements of the organization must work together to review any IR plan and ensure it is updated.

The IR plan is a set of written instructions that outline the organization’s response to network events, security incidents and confirmed data breaches.

Having an established IR strategy that encompasses people, processes and technology can mean the difference between successfully managing a crisis or losing the fight to ever-sophisticated threat actors.

Consider these five key steps to help optimize IR plan preparation and position the organization’s incident response readiness:

1. Establish an Incident Response Plan

Use this as a simple starting point: If your business doesn’t have an IR plan, consider key risks and develop one. A well-documented, standardized and repeatable incident response plan, outlining key roles and responsibilities, should be in place to enact when needed.

2. People, Process, Technology

An effective IR process should consider elements across the business and how they are either impacted or can be leveraged by the IR process. This includes people, processes and technology. Consider teams, capacity and expertise within your business: How are your people impacted and how can they help. Tooling can be critical for detection, prevention and response. Consider which tool is applicable for which use case and is it prepared to do the job. Processes and communication are an overarching theme. As with the other elements, making them consistent, repeatable and clear is key. Robust processes and methodologies can help organizations deal with incidents faster, more effectively and in a consistent manner.

3. Understand Your Risks

An IR plan should align to the organization’s wider security governance processes that support, define and direct security efforts. An important aspect of security governance is risk management -- identifying the key risk factors and scenarios of your business and then evaluating the strength of controls to protect against them. This can help businesses better understand the level of cyber risk and prioritization of mitigative and response measures.

4. Understand the Response Stages

Having a clear understanding of IR processes – who does what, when, how and why – is critical to obtain the efficient delivery and enablement of an IR plan. There are frameworks that provide guidance on the IR processes, such as NIST or SANS, as well as additional activities to help, including the development of incident categorization models and even technical playbooks. When an incident occurs, a structured incident response workflow will help drive a consistent and repeatable approach to incident management, and through regular improvement activities can enable a reduction in response time to resolve critical scenarios. IR plans, workflows and playbooks are a game-changer for incident response and are applicable across the entire security function.

5. Test, Review and Update

Any IR plan should be regularly assessed to consider how applicable it is to the current state of your business. A good way to evaluate that is to test, review and update prior to any potential crisis using cyber threat simulation exercises with relevant stakeholders, which can be delivered at regular intervals to assess the efficacy of your plan.

Incident Response Readiness is not Solely an IT Focus

An established cyber security incident response capability should be considered in the same way risk is: Constantly evolving and changing with your business. This requires collaboration across business functions, with careful planning and ongoing review. A mature IR process not only helps businesses respond when needed but can mean the difference between a major business impact -- or business as usual -- should a cyber event occur.

General Disclaimer
This document has been provided as an informational resource for Aon clients and business partners. It is intended to provide general guidance on potential exposures and is not intended to provide medical advice or address medical concerns or specific risk circumstances. Due to the dynamic nature of infectious diseases, Aon cannot be held liable for the guidance provided. We strongly encourage visitors to seek additional safety, medical and epidemiologic information from credible sources such as the Centers for Disease Control and Prevention and World Health Organization. As regards insurance coverage questions, whether coverage applies, or a policy will respond, to any risk or circumstance is subject to the specific terms and conditions of the policies and contracts at issue and underwriter determination.

While care has been taken in the production of this document and the information contained within it has been obtained from sources that Aon believes to be reliable, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the report or any part of it and can accept no liability for any loss incurred in anyway by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication.

All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.