Incident Response Planning: What You Need to Know

by | May 25, 2021 | Technology Strategy

Since the Colonial Pipeline attack, U.S. government officials have warned that there may be a wave of cyberattacks against critical infrastructure and manufacturing installations in the U.S. and abroad. High-profile attacks occur weekly, leading cybersecurity professionals to believe that what’s reported is just “the tip of the iceberg.” ZAG sees these attacks already happening in the ag industry at historic rates.

Within agriculture businesses, the speed of production and shipping is faster than most organizations experience or are used to in a 24/7/365 operation. This reality of the fresh produce sector amplifies the need to be up and always running. Plus, the speed and complexity that ag-focused businesses operate in make incident response more challenging.

Organizations must know how to respond to attacks by having a formalized Incident Response (IR) plan in place. These plans are the key to a successful outcome should an intrusion occur, as every organization must defend against an attack.

The key components of breach survivability

Disaster recovery (DR), IR, and business continuity (BC) are the three main tenants of the survivability of an organization in the event of a disaster:

Disaster Recovery Plan. DR is what most IT organizations think about when they think about disaster preparedness. Advanced teams have this written and in place. The importance of a prewritten plan cannot be overstated.

When a disaster strikes, every wheel squeaks. If you haven’t identified determining which systems are most critical ahead of time, you run the risk of working on the squeakiest of wheels instead of the most important ones.

DR is the lynchpin of this process and cannot be overlooked. Companies shouldn’t only focus on the data center when planning for DR. What will happen if localized servers, or worse yet, workstations, get encrypted? Ensure the DR plans are comprehensive and tested.

It is also critical to ensure that this plan isn’t written solely around the data center. Yes, the servers need to get back up and running, but the network at a plant or a remote site may also have been impacted. It may not seem obvious, but the loss of workstations can be more impactful than servers to an organization. How will you reimage workstations if they are all suddenly encrypted?

Incident Response Plan. The IR Plan is a playbook for how your organization will respond to a disaster. A disaster can take many forms ranging from a sustained power outage at a data center to a criminal attack. Creating a plan involves planning for the worst possible situation, such as a cryptolocking event covering every contingency.

Business Continuity Plan. The BC Plan is the most overlooked component. This plan dictates how your organization will operate while systems are down. It answers the questions:

  • If I don’t have my ERP system, how am I going to produce?
  • Do I ship what I normally ship?
  • What should be communicated about the attack to customers?
  • How do I print labels or conduct inventory?

The BC’s focus is the continuity of the business despite the loss of access to critical components related to the supply chain.

The BC plan should also describe how you return to normal operations once IT systems are restored. For instance, do you need to shut a plant down to do an inventory to correct numbers in the system?

Don’t ask your IT team to create this BC Plan. The senior leaders of the business must create it. It is critical to the business and must be written by the business for the business.

Key components of an IR Plan

While each organization will have its own requirements from its DR, IR, and BC planning, the following are some key items to consider for an IR plan:

Internal communication

When an incident occurs, clear communication is critical. You must communicate effectively to your employees about the next steps and how this will affect their ability to get their job done. They must understand the scope of the disaster and, ideally, when the systems will be back up.

Ensure that you have a process to communicate should IT systems be down. You can’t rely on email if email isn’t available. Some companies set up text groups ahead of time to relay information.

You will also need to communicate to executives and, in many cases, a board of directors.

External communication

You must also plan on how to communicate with customers, vendors, law enforcement, insurance agents, and potentially the media.

Will you actively tell your clients? It should be strongly considered if the event impacts deliveries. Be aware that they are most likely tracking you through supply chain management tools.

ZAG believes it is a great idea to engage law enforcement. The FBI makes it easy to report concerns and they keep things confidential. Ultimately, you will be able to tell the press you are working with law enforcement if you inform them. This can also highlight your organization’s dedication to engaging with external agencies as a gesture of goodwill in a tough situation.

If there is a chance you will file a claim, you will want to engage your cyber insurance team early in the process. Many have procedures that you must follow to submit a claim. They also may have tools that can be used to help with the situation.

Because of all these audiences, any crisis response team should include communications professionals.

Involving outside teams in IR planning

As part of the IR plan, the team should know whether to involve an outside team. One point to consider is that these attacks often come in waves across an industry. It is highly likely you are not the first to be hit by them. Therefore, bringing in a team that has been through the attack before can help get to a resolution.

ZAG is often brought in on these types of attacks. In more advanced and dangerous situations, ZAG will also bring in an IR team such as Cisco Talos to help with the situation. The benefit of these types of teams cannot be understated: Don’t learn a lesson the hard way if someone else already has the answers.

As for implementing an IR plan in advance, while there is a heavy IT component to IR planning, it is not a pure IT play like DR. It is critical to get buy-in from the entire C-suite on how incidents are reported, communicated, and resolved.

Common misconceptions about IR planning

When we’re talking to clients in the agribusiness and fresh produce sector that have been around awhile, a typical response to the incident response planning initiative is to go back to the way they did business “before.” This means before technology streamlined operations and became an integral part of the supply chain.

However, it is important to note that the world surrounding agriculture has changed: quality assurance (QA) and processing speed are different, demand is greater, more complicated orders come in, and it’s not just lettuce being loaded onto a truck anymore. Companies today significantly rely on IT systems and solutions.

Common questions for IR planning

Many companies are new to the discussion when discussing incident response planning within the agribusiness and fresh produce sectors. They may have undergone a supply chain assessment and are ready to adopt more stringent IT risk management plans, so they need a framework for the discussion and challenge executives to realize the importance of planning for a breach or attack.


Incident response planning takes the realization of the importance of IT from an organization’s leadership, which is a significant step toward realizing operational maturity. IT must be involved in this process because they must look at the systems in use, understand how they work and what they do, and evaluate them to develop a plan to respond to an incident.

Are you ready to take your IR plan to the next level? Click here to get the process started.

Related Content