Time matters when it comes to breach response. There is a direct correlation between how quickly an organization can detect and contain a data breach, and the financial consequences that can result.
A strong security incident response capability can help organizations reduce breach related costs by 25 percent, according to the Ponemon Institute’s 2019 Cost of a Data Breach Report. Furthermore, organizations who formally identified an incident response team and had well-tested plans spent $3.51 million on breach response, compared to $4.74 million spent by those who didn’t. With the average global cost of a data breach nearing $4 million, or $150 per lost record, time is quite literally money.
New types of security incidents emerge frequently. Attacks often compromise personal and business data, and it is critical to respond quickly and effectively when data breaches occur. As the number of data breaches continues to rise, it’s no longer a matter of if your organization will have to defend itself, but when.
Preventive activities based on results of a risk assessment can lower the number of incidents, but not all incidents can be prevented. Incident management helps to identify and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels. These events can be technical, such as attacks mounted on the network via viruses, denial of service (DoS) or system intrusion, or they can be the result of mistakes, accidents, or system or process failure.
That’s why having a strong Incident Response Plan (IRP) is more important than ever, and the ability to detect and assess the situation, determine the causes, and quickly arrive at solutions can mean the difference between an inconvenience and a disaster.
What is an Incident Response Plan?
An IRP outlines the procedures to be followed when responding to a security incident. A security incident is any attempt to violate a security policy, a successful penetration, a compromise of system, or any unauthorized access of information. At a minimum, the IRP should cover:
- Lessons learned
Compliance requirements can often be easier met when an IRP is in place because you’ve pre-identified key steps that need to be taken. But, true strength lies in having a plan where you are proactively performing cybersecurity drills. In other words, scheduled and continuously testing the IRP. It will ensure your team knows exactly what to do without wasting precious time deciding on critical next steps.
What are Cybersecurity Drills?
While practice may not always make perfect when it comes to security incidents, rehearsal of who does what, when, and how will save your organization both money and angst.
Cybersecurity drills allows your team to work through various drill exercises—like role-playing, planned exercises, spot checks, and team building—so everyone becomes familiar with various threat scenarios. Through testing and repetition, you can evaluate your team’s response and dissect lessons learned. You can also use these drills as a part of your cybersecurity training and employee education programs related to phishing scams, ransomware, and appropriate reporting of cybersecurity incidents.
Who Should Be Involved?
In order to be effective, an IRP needs to extend far beyond just the security organization. For maximum effectiveness, a drill team should consist of a security steering group, core members of the IMT/IRT team, and subject matter expertise from Legal, IT, HR, PR, Risk, etc. Proactive organizations are also extending cybersecurity drills to include business partners and third-party organizations for superior safeguarding.
Depending on the nature and extent of a particular incident, there could be involvement from internal and external resources such as a public relations (PR) representative, audit and legal counsel.
What Else Do I Need to Know?
What is a Security Incident? Ensure that there is a clear definition and understanding of what constitutes a security related incident. Typically, security incidents include; malicious code, unauthorized access to IT or information resources, unauthorized use of services, unauthorized changes to systems, network devices or information, DOS/DDoS attacks, misuse, social engineering etc.
Legal & Preserving Forensic Evidence – Don’t forget the legal aspects of preserving forensic evidence. Contamination of evidence following an intrusion could prevent an organization from prosecuting a perpetrator and limit its options. For evidence to be admissible in legal proceedings, it must have been acquired in a forensically sound manner and its chain of custody maintained. It is important to be aware that legal requirements vary in different jurisdictions. As a result, informed legal advice for appropriate processes that meet judicial standards are required.
IRP Effectiveness & Efficiency – Make sure that you measure the effectiveness and efficiency of your IRP. It will allow you to understand what has been done satisfactorily and where improvements need to be made. A few metrics that can be used:
- Total number of reported incidents
- Total number of detected incidents
- Number of days without incident
- Average time to respond to an incident relative to the RTO
- Average time to resolve an incident
- Total number of incidents successfully resolved
- Incidents not resolved successfully
- Detection and notification times
A comprehensive IRP cannot rely on guesswork. An attacker is interested in obtaining your crown jewels and will make every attempt possible to locate them.
The more visibility you have into where your sensitive data / most valuable assets reside, the more quickly you’re able to pinpoint where your security blind spots might be and the more effectively you’re able to respond to a potential threat or incident. Having this complete visibility and intelligence not only allows you to focus and prioritize your cybersecurity drills, it can also help you more quickly identify when you need to put your IRP into action and minimize potential the damages.
Absolute delivers complete visibility and control over devices, data, applications, and users — both on and off the corporate network. Learn how the industry’s only tamper-proof endpoint resilience solution can empower you to build a more effective / comprehensive IR plan.