Pratum Blog

Incident Reponse Planning

Is your business ready to handle a security threat? The more our Consultants talk with businesses from across the country, the more we find a lot of them don’t have an Incident Response Plan. If they do have one, it’s very minimal. Unfortunately, this is becoming the norm.

Creating an Incident Response Plan is more than just creating a peace of mind; it will also be a critical component in restoring what’s lost during a cyber-attack. Taking the time to prepare now will save you time, money and stress down the road.

Keys to an Incident Response Plan:

The Importance –

First, you probably want to know why you need an Incident Response Plan. Think of it as reassurance that in the case of an emergency fewer things are likely to go wrong. If a disaster occurs and you don’t have a plan in place, how will employees know what to do? Even if one person knows the protocol, you can’t rely on them being there every day. This checklist of do’s and don’ts will give staff a sense of control and confidence when they may have to face a crisis alone. It will also give management more freedom to leave the office without fear of total chaos while they’re away.

Second, if your business is a critical resource and you don’t have an appropriate plan in place, it could have a ripple effect on others. You could potentially lose revenue or harm customers. In turn, that may impair your reputation and cause long-term damage to your business.

Who Needs One –

The easiest response for this one is – Everyone! The exact plan will vary depending on the size of your organization and the level of risk you face. If your company has a lot of sensitive data, that means your security risk is higher. In that case, you want to have a very detailed Incident Response Plan in place. Larger businesses may be required to have an Incident Response Plan in place to meet a regulatory framework.

Every business needs to evaluate all levels of information security and who has access to sensitive data in order to determine what their plan should look like. There’s no “one size fits all”, but there are some good guidelines to follow!

What It Should Look Like –

This has been made slightly easier thanks to the National Institute of Standards and Technology (NIST). They have a checklist of how to handle an incident. (You can find that on Page 42 of the document linked here.) These basic guidelines are very helpful to anyone looking for some introductory guidance.

To prepare an Incident Response Plan, ask these questions about your business:

1. Who are the critical staff?

2. What resources are available?

3. Who are the primary and secondary contacts?

4. What is the backup process?

5. How quickly would you recover from an incident?

6. How could an incident impact future business?

If you can’t readily answer these questions, that’s a good sign you need to start working on an Incident Response Plan. While the variables will differ from one business to the next, the basic principles remain the same; know who’s in charge, what to do, who to contact, and how to handle the aftermath.

How to Prepare -

Before implementing an Incident Response Plan, there are a few things you should do to prepare. First, let your staff know what’s happening. It’s important they understand why the plan is being built. They should also be given the specific guidelines as to what their role will be during an incident. If necessary, there should be plenty of training involved. The pertinent staff should also be involved in the creation of the plan. The more involved people are in the process the more likely they will be invested in executing the plan when an incident comes up.

How to Update –

Your Incident Response Plan needs to be reviewed at least once a year. That’s also when you should be performing a test to make sure the procedures and people involved are prepared. Testing will help reveal any weaknesses in the process before real damage is done from a serious security threat.

While an annual review is important, you also need to do updates and reviews after any incidents that occur. If something goes wrong, it’s the perfect time to update and adjust the policy.

Recovery Process –

One of the biggest benefits of having an Incident Response Plan is having the steps laid out for the recovery phase. After a security incident, you may be stressed out and overwhelmed by what just happened. Being able to rely on an established plan will help keep you on track of what’s going on and focus on the tasks at hand.

A big component of recovery is the initial response. Be sure to isolate the affected system or systems to stop additional infections and prevent additional data theft. Disconnect the asset from the network. You should also start running scans and potentially run digital forensics (link to forensics page) checks to see how far the attack went and where it came from. Also, consult your legal or compliance team to review any regulatory impact that could also pose irreparable harm to the organization.

Encourage your employees to report problems right away. Affirm they won’t be in trouble for sharing what they discovered and that they’re helping the company by reporting any incident in a timely manner. Give them a channel to follow and train them on where and how to report properly.

Review the Aftermath –

After you’ve contained the problem and reported to the proper channels, an Incident Response Plan should also include steps for reviewing the aftermath of an incident. This is the time you go over the questions like, what went wrong? What went right? You should also establish a timeline of events to help answer these questions and see the bigger picture.

Reviewing the problem shouldn’t be your last step. Adjusting your Incident Response Plan should come next! As we discussed during the Update section, you should be making changes to your plan after any incident. If a step in the process didn’t go as planned, figure out why and start making changes.

If you need help setting up your Incident Response Plan, our cybersecurity experts work with organizations of different sizes and security needs.


The Coronavirus has now reached every continent, except Antarctica. There are more than 89,000 cases worldwide, with over 3,000 deaths reported at the time of this article being published. Like any major news event, cyber criminals are finding new ways to use the fear surrounding the infection to attack victims online. These are some the top ways online criminals use Coronavirus in new attacks.

Posing as Health Information

One-way cybercriminals capitalize on a crisis is by posing as large health organizations. One scam discovered recently was a phishing scam claiming to offer safety information regarding Coronavirus. The email appeared to be from the World Health Organization, offering safety measures to help you avoid contracting the Coronavirus. The link in the email takes you to a website, that appears to be the official WHO page. They then ask you to fill out a form of your information.

All of this appears to be legitimate, if you’re not looking closely enough. After you fill out the form on the fake webpage, it will redirect you to the authentic World Health Organization site. You may never realize you had been scammed until someone starts using the information you provided for malicious attacks.

There have been other scams reported where simply clinking on a link within the email will add malware to your device.

Asking for Donations

Another method used by criminals to get your information is by preying on people’s good nature. When there’s a crisis, people like to help out. That’s why some scammers are creating fake charities, claiming to help victims of Coronavirus.

Some of these reported email scams will title their message “Urgent”, asking for quick action to help those in need. That sense of urgency often distracts people from the fact the link they’re asked to donate to has a suspicious URL.

Just like the with the phishing emails, these can be dangerous in a few ways. They can actually achieve receiving a donation from you, or they may install malware from the link provided.

Spreading Fake Awareness

In Japan, one scam campaign that has been very popular is an email targeting people who are looking for information on the Coronavirus. These messages will claim to come from a health organization, such as the Centers for Disease Control, and will provide a document telling you where the virus has been located near you. When opened, that document has been reportedly downloading a well-known malware type called Emotet.

Another popular scam has been websites claiming to sell Coronavirus vaccinations. These websites will typically have the word “Coronavirus” in the domain name. There have been no successful vaccinations against this strain of virus, so any website claiming to sell a cure is a scam.

Advice to Avoid Scams

While information, or even a cure, to the Coronavirus is very tempting for people in fear right now, there are ways to make sure you get reliable information.

  • Before opening an email, make sure you recognize the sender.
  • Hover your mouse over links before clicking them. You should be able to see where the link is actually taking you before you click on it.
  • If a link has a suspicious domain, just avoid it. Things like HXX instead of HTTP at the beginning are red flaps.
  • Search for the legitimate website instead of clicking a link. If you get an email from CDC or WHO , just do a quick search for those sites first.
  • Don’t give your personal information to anyone who raises suspicion.
  • Slow down! Criminals use urgency to prey on victims and cause people to act without thinking clearly.

While many people are concerned about the physical threats of the Coronavirus, the potential for a cyber-attack is also important to keep an eye on. If you do witness or fall victim to a Coronavirus cyber threat, be sure to contact the FBI Internet Crime Complaint Center:

SOC 2 Question Mark

How do you prepare for a SOC 2 audit? Unless your company has a client requesting a SOC 2, or some type of compliance report, you probably don’t know much about them. That’s okay!

Many businesses come to Pratum looking for help with SOC 2, and with years of experience in the area we can help guide you to have a smooth preparation and audit. Here’s an overview of our process, and what you as a company need to have prepared to be successful.

Common Questions:

What is SOC 2?
Very simply, SOC 2 is a compliance report. Many times, a company will be asked by a client to provide some sort of compliance report to prove the company has adequate security measures in place to protect any data shared between the two businesses.

SOC 2 reports must be completed by an AICPA firm. The CPA will conduct the audit over several months and deliver the report at the end. There are two Types of SOC 2 reports, Type I and Type II. Type 1 examines the design of controls at a specific point in time. Type II addresses the operating effectiveness of controls over a period of time.

Where to begin?
Once you decide to pursue SOC 2, there are a few things to keep in mind before getting started. You need to first determine if you want assistance preparing for the audit. Pratum offers readiness assessments to examine whether your business is adequately prepared for a SOC 2 engagement as well as assistance with getting there.

Timeframe for SOC 2?
One big misconception around SOC 2 is the amount of time it will take. While this varies depending on your business’s size and the scope of the audit, the typical Type II audit usually takes a minimum of 8 months for the entirety of the engagement. This includes the opinion period, audit fieldwork, and time for the auditors to develop and deliver the report. The readiness process with Pratum before the audit can also take an additional 2 to 3 months, depending on the preparedness of the company. If your company is looking for a quicker turn around, starting with a Type I audit may be the best path.

Readiness Steps:

At Pratum, we have a process established to make the experience smoother for you. Here’s a brief overview of what you can expect from the first call to the final report.

Step 1: Initial Inquiry & Discovery Call
During the initial conversations, our Client Engagement team will get to know your business and walk you through the basics of a SOC 2 report. A Consultant may also join the call to ask more detailed questions and help with scoping the engagement. Some initial questions we may ask include: What all is required in any contracts you’re trying to fulfill? What is the timeframe you’re working with? What is the scope of the SOC 2 you need? How many and which employees have access to the areas being audited? Where is your data stored and how does it flow across the organization?

Step 2: Statement of Work
After we get all the information needed, Pratum’s Client Engagement and Consultants come together to build the customized plan for your business. That includes the details for the readiness process, what it will cost, and a timeline for the work.

Step 3: Pre-Engagement Forms
Once the Statement of Work form is signed, we can begin the process of preparing your company for a SOC 2. That means getting into some more detailed questions about what will be included in the SOC 2 and who needs to be prepared within your business. The consultant will hold a kick-off call with your company to discuss the process, set expectations and answer any initial questions. Pratum will request any supporting documentation you have at this time as well. If you haven’t selected a CPA firm to perform the audit yet, Pratum can provide recommendations of firms we have close relationships with. If you already have a firm in mind, we’re happy to work with the auditor of your choice as well. The earlier you can get the auditors involved, the better.

Step 4: Readiness Fieldwork
The fieldwork during your SOC 2 preparation is how our Consultants get a first-hand look at the work ahead. The consultant assigned to your project will be hand selected based on their expertise and how it can benefit you. During the fieldwork phase, interviews are conducted with the necessary staff and current security controls are reviewed to determine maturity level. Where any gaps are identified, the consultant will provide guidance on what should be in place, and how to get there. This is more than just a yes or no Q&A; it’s a conversation. The Consultant will ask detailed questions to fully understand the operations and needs of the organization. At the end of the engagement, Pratum will deliver a control listing with the status of each control, supporting documentation and audit evidence needed, as well as recommendations where appropriate.

Step 5: Contact Auditor & Set Up Audit
After preparation for the audit is complete and your company and Pratum feel confident in your readiness, the audit opinion period can begin. Most audit firms prefer a minimum of a 6-month opinion period. If not already in communication with the auditors, this is the time to reach out to them to discuss timelines and schedules.

Step 6: Audit Fieldwork
During fieldwork of the audit, the Pratum Consultant will be present with the auditors to answer any questions and help mediate any concerns that may arise. The Consultant is there as a representative for your company and will ensure the auditors stay within scope and reason. The fieldwork for the audit can take several months to complete. The more prepared and dedicated your team can be, the faster the process will go and the sooner you’ll receive the report.

Keeping Up Your Compliance

Now that you’ve completed your SOC 2 audit, the work isn’t finished. You’ll need to keep that up with yearly audits to re-validate your controls. The best way to ensure continual compliance is to maintain your security standards and evaluate and adapt to any changes within your business. SOC2 isn’t a one and done. Continual monitoring and activity are needed to continue to be successful.

Preparing for a SOC 2 may seem daunting, but it doesn’t have to be! Pratum is ready to help make the process less stressful for you. Just contact our representatives for a free consultation today.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.