Timely Incident Response - Planning your response to a security incident
In the age of the General Data Protection Regulation (GDPR) and Australia’s mandatory data breach legislation, businesses cannot afford to assume that they won’t be attacked, or that they won’t suffer a breach.
Today, our potential attack surface is too large, the possible financial reward for cyber criminals are too lucrative and the fiscal and the reputational damages of a successful breach are too great to ignore.
"76% of Australian organisations have an incident response plan in place."- Telstra Security Report 2018
While the Telstra Security Report 2018 found that 76% of respondents had an incident response plan in place, we anticipate this will rise as organisations of all sizes start asking
the tough questions; such as: How would we react to a ransomware attack? How would we quarantine, investigate and eradicate the spread of malware once detected? What does our workflow to notify customers after a data breach look like?
While the increasing number of organisations with an incident response plan is encouraging, the effectiveness of those plans is an ongoing concern.
One of today’s key security challenges is the rapid pace of change, which makes it imperative to keep your incident response plan up to date, just like your security team’s skills. New technologies, business practices, data sources and potential threats all need to be integrated regularly, or your plan will lose its relevance, making it less likely to be effective when it’s needed most.
To maximise the probability of your plan being adhered to in the confusion that often follows a detected data breach, it needs to be up to date and relevant, to have buy-in across the company and it needs to be tested regularly so everyone knows what to expect.
80% of Australian respondents with an incident response plan indicated that they tested their plan at least quarterly, although the form of testing varies significantly – from document reviews through to tabletop exercises and full-blown simulations.
While some rehearsals can be effectively accomplished with just the security team, including key stakeholders from other parts of your business will greatly increase the likelihood of your incident response plan being followed on the day of a real incident.
This is especially important for your C-suite leaders and executives, whose time can be difficult to obtain, but senior leadership familiarity with the process can dramatically increase your effective response time. Of course, it’s not just a matter of time and resources. Although leaders recognise the importance of managing their security risk, those without a technology background may not feel engaged when asked to think about its practical implications.
One of the most effective ways to engage senior management is to “keep it real” and ensure the security response is presented within your business context. Take a challenging time from your organisation’s past - such as a prolonged power outage or a time your business was stretched over capacity from demand - and rework it into a security incident.
This gives you the ability to not only explore how the existing known weaknesses in your organisation could cope with an incident, but also helps create a connection between security principles and key business risk.
In addition to providing valuable experience, incident response rehearsals provide a critical opportunity to identify your weaknesses and encounter unforeseen issues. Red teaming, whether it’s provided by your own team, or an external partner, can help you identify and rectify a plan’s weaknesses and omissions.
Learning from past incidents is one of the key tenets of effective incidence response, however, especially amidst today’s cyber security skills shortage, it can be difficult to justify the cost of maintaining forensic investigation skills in-house.
When you’re putting your plan together, consider your internal security expertise, and if you need an experienced third party security team to assist you with crafting your plan, testing it – or even an ongoing partner to supplement your forensic investigation capabilities.