Managed service providers (MSPs) are often tasked with providing cybersecurity for their clients. But what happens when a cyberattack happens? Usually, decisions need to be made rapidly and actions taken within minutes. That’s why having incident response plans is critical. Many companies lack comprehensive cybersecurity incident response plans (CIRPs), which are critical for effectively managing and mitigating cyber threats.
According to cybersecurity vendor FRSecure, only 45 percent of companies have an incident response plan in place.
The 2024 Ponemon-Sullivan Privacy Report found that just 46 percent of organizations have a CSIRP that is consistently applied across the enterprise.
The same report found that it might be insufficient even if a company had a CSIRP. Only 50 percent consider their plan to be practical or highly effective. MSPs need to have not only a plan in place but also an effective one.
More than a plan: You need practice
“When it comes to building a CSIRP, clarity and structure are extremely important,” says John Yensen, President of Revotech Networks. Yensen emphasizes that skipping the basics is one of a company’s biggest mistakes. A plan with undefined roles and vague processes just won’t cut it when chaos strikes. “You must define roles and responsibilities to avoid confusion if and when an incident does indeed hit.”
Yensen recommends including an incident classification system to help prioritize and assign resources appropriately.
“This will help ensure the correct resource is deployed,” he explains.
A good response plan should also outline containment and remediation steps, such as quickly isolating affected systems and restoring operations without causing major disruption.
“Communication is another big one,” Yensen adds. “You need clear internal coordination, and if the situation warrants it, external communication with customers, legal teams, or regulators.” And once the dust settles? “There should be a post-incident review to identify what worked, what didn’t, and what needs to change. Basically, a thorough debrief.”
Don’t just write it, run it
Too many MSPs create response plans that look great on paper… and stay there.
“Don’t just write it and forget it,” Yensen explains. “Run tabletop exercises, keep the plan updated, and ensure you have logs and audit trails for forensic analysis.”
The key is to make the plan practical and understandable. “What you don’t want is a generic or overly technical plan that your team won’t understand in the middle of a crisis,” he warns. “It must be tailored to your environment and easy to follow.”
Automation is no longer optional
Nate Tenborg, Vice President of Field Engineering at FireMon, adds another layer: speed and automation. Manual processes don’t cut it in today’s hybrid environments, where firewall policies span on-premises, cloud, and edge networks. “Security incidents are inevitable, but the damage they cause doesn’t have to be,” Tenborg says. “A well-structured CSIRP, grounded in real-time policy visibility and automation, is essential for minimizing impact.” He points out that automation offers the following benefits: speed to response times, helps maintain compliance, and reduces the risk of misconfigurations.
Tenborg recommends MSPs to continuously monitor firewall policies across environments, automate policy management to reduce human error, provide regular audits and optimizations to stay ahead of threats, and dynamic adaptation of policies using threat intelligence. “Static policy configurations just can’t keep up,” he explains. “And don’t overlook compliance; failure to meet regulatory standards can have serious consequences.”
Post-incident analysis
Too often, companies fix the problem… and then move on. “Without post-incident analysis, organizations miss opportunities to strengthen their defenses,” Tenborg asserts. “The faster you can understand, contain, and recover from an incident, the lower the impact.” That kind of fast, effective recovery requires policy controls that are dynamic, automated, and deeply integrated into your overall security operations.
Cybersecurity incidents are no longer a matter of if—they’re when. And when they happen, MSPs can’t afford to freeze up. A good CSIRP is essential. But practicing that plan regularly, realistically, and with the right tools in place is what makes the real difference.
Photo: PreciousJ / Shutterstock
This post originally appeared on Smarter MSP.