Most Organizations Have an Incident Response Plan, But All Too Often It is Filed Away Somewhere and Forgotten.
The continued proliferation of security events is front page news and, consequently, we’re hearing more frequently of breach fatigue and even breach acceptance. Its sounds like a slippery slope towards apathy but, in fact, for many business leaders it is just the opposite.
When an incident happens that’s when the rubber meets the road, not just for the security team but the entire organization. With cyber risk one of the top 10 business risks globally and number one in North America, business leaders are asking CIOs and CISOs questions about risk management they have never been asked before. For example: Are threat actors bypassing our defenses? What is our applicable risk? What kind of impact can they have?
This points to a growing emphasis among executives on incident response, but also the need to evolve to incident readiness and response. Here’s the difference.
Most organizations have an incident response plan, but all too often it is filed away somewhere and forgotten. Pulling it out during a cyber attack or once a breach has happened, and calling the service listed in the plan for emergency support is less than ideal. It’s like going to the dentist only when you have a toothache. You’re likely in for a lot more pain and expense than if you visited the dentist every six months for routine cleanings and an opportunity to catch problems early before more damage is done.
Incident readiness and response is like that regular dentist visit, allowing you to proactively mitigate cyber risk and the associated pain and expense. The Ponemon 2017 Cost of a Data Breach Study found that the average global cost per lost or stolen record is now $141, but companies with a strong incident response capability (e.g., adding incident readiness) can reduce the cost by as much as $19 per compromised record. So, how can you evolve to incident readiness and response? By incorporating these three components into your capabilities:
1. Create the plan. Part of any baseline incident response (IR) capability, an IR plan should include the complete spectrum of activities (detection, collection, containment, analysis, communication, and more) to ensure the full extent of the attack is discovered and responded to. When developing the plan, involve representatives from multiple functions across your organization to ensure incidents are properly handled in their entirety.
2. Work the plan. Having an IR plan is well and good, but a plan is only reliable if you practice it and polish it on a regular basis. In fact, most auditors regularly ask when you last tested your IR plan. Table top exercises are a popular way to keep your plan evergreen. Conducted every quarter or twice a year, these exercises include representatives across the business with the purpose of knowing how to respond in the event of an attack. Simulated incidents or war games take your practice sessions to the next level. They can be tailored to specific types of attacks based on your organization’s direct experience or attacks your competitors have faced. Broader in scope, they include identifying vulnerabilities, simulating the attack, and testing detection and response.
3. Live the plan. They say practice makes perfect but there’s even more you can do to hone your readiness; you can make your IR plan part of your company’s DNA. Threat hunting is one way to do this. It involves continuously seeking out anomalies to find active threats and breached systems and then following the IR plan at each instance. In the process you will also find benign things, for example a vulnerability that hasn’t been exploited by adversaries targeting your industry…yet. This provides an opportunity to proactively mitigate potential attacks in the future.
Clearly, incident readiness and response can’t be accomplished with just an emergency call. Regularly practicing and refining your plan so that you can proactively strengthen defenses and improve cyber hygiene requires ongoing attention by skilled security professionals with IR expertise. For most organizations such talent is difficult to hire and even harder to retain. Incident readiness and response services can help you take your IR plan to the next level and achieve the outcome you desire with additional bench strength – knowledge and personnel. If you’re evaluating such services, consider asking providers the following questions:
How do you work with your clients? Any partner should have the capacity to become an extension of your team. Understand the capabilities they offer to help you create, work, and live your plan. This requires more than an emergency number, but a partnership with experts you know and trust who can help you with both regular and proactive IR exercises.
Do you offer both emergency and ongoing services? When an attack inevitably occurs, you’ll want the same team of experts who already know your organization on the case. Having a team that is embedded in your organization will significantly improve their efficiency and effectiveness and, ultimately, reduce the impact of a breach.
Are there other capabilities you can provide? Depending on the partner you select, they may also be able to provide access to the latest threat research and technologies. This can help prevent similar attacks from happening again, and proactively help you prepare for and protect yourself from emerging threats.
Given the inevitability of a breach, who isn’t interested in reducing the pain and expense that’s associated? By dusting off that IR plan and evolving to incident readiness and response, there’s a lot that business leaders can do to proactively mitigate cyber risk.