Secure your business

Towards a whole of organisation incident response plan

Highlights
  • Keep Incident response rehearsals “real” to engage stakeholders from the C-suite and non-technical departments.
  • Plans need to be kept current, including new workflows, responsibilities, technologies and vendors.
  • Red teaming is an effective way to identify and rectify weaknesses and omissions in your plan. 

Most Australian organisations have an incident response plan in place, but many security professionals face challenges engaging crucial stakeholders outside IT.

The Telstra Security Report 2018 found that 76 per cent of Australian organisations have an incident responseplan in place and while this does leave room for improvement, it represents encouraging growth over the previous year.

Timely Incident Response - Planning your response to a security incident

They’re also testing their plan more often, with 80 per cent of Australian organisations surveyed saying that they test their plan at least quarterly.

However, Thomas King, Head of Cyber Security Products at Telstra, says that there’s significant variance in the quality of these plans and specifically, the likelihood that they’ll be followed during an actual crisis. 

“When I first saw the results, I was sceptical,” says King. “Three in four companies having a plan is great, I think the amendments to the privacy legislation have made companies feel like they need one. But from what I’ve seen in the market, I don’t think 76 per cent of companies have a plan that could be followed throughout a real incident.”

He attributes this to the difficulty many security stakeholders have securing the time and attention of time-poor executives, as well as tendency for today’s businesses to change faster than their plan can be updated.

“Generally, the better the plan is, the more closely it will be followed. It's just natural for you to follow it because it's the easiest way to actually manage the incident. However, if a plan doesn't reflect the organisational culture and how the organisation operates in a crisis, of course, then it is far less likely to actually be used.”

Find out more about our 24x7 Incident Response retainer, which gives you priority access to Telstra’s highly-skilled and experienced Computer Emergency Response Team.

Find Out More

Make it real

One of the most effective ways to engage people who don’t share security in their core remit is to contextualise the plan’s importance to protecting things they do care about.

“The most effective rehearsal for your incident response plan is a real incident,” says King. “If you don't have a real incident to test, then generally a simulation is the next best bet. That simulation can be anything from a tabletop activity, where you get an example scenario and maybe third-party facilitation, to actually run through that scenario.”

He suggests starting with the potential threats to the “crown jewels”, such as a critical compromise of personal data such as healthcare records or financial transactions, or an interruption to key operations, which could be anything from a ransomware outbreak, or the compromise of industrial machinery.

“If you can make that real, with real examples for executives, that will generally get their buy in because they will understand that you are talking about something near and dear to them and something that really is of direct relevance to the success of the business” 

Thomas King, Head of Cyber Security Products, Telstra Enterprise

“If you talk about it in esoteric terms, and make it too technical, then you'll lose them. If you can make it real with real insights and reflect real business practices and priorities, you will get executive buy in and you will get their attention.”

By contextualising an incident response rehearsal in core business priorities, or even combining it with a simulation of a general emergency you can also identify “perfect storms”, where external circumstances could complicate your security response and devise ways to overcome them.

While this can be orchestrated by personnel within the company, it can be more effective to bring in external specialists who can serve as a more effective “red team” by exposing flaws in the plan created by assumptions shared within your organisation.

Man on mobile and laptop

Include the supply chain

In 2018, it’s not enough for your incident response plan to incorporate just your organisation – the proliferation of mission critical data, such as HR or financial records, into cloud services increasingly means that vendors need to be included too.

“You do need to understand how those services are provided or how you will work with those service providers should you have an incident. How will you get information from them if they have a breach?”

King says this is particularly important in light of the short customer notification deadline that recent security legislation gives businesses.

“I think GDPR is the gold standard in this space with its three day reporting. Three days essentially means if you're a business that works 9 to 5, and an incident happens on a Friday night, you're going to have to be literally reporting within a few hours of you finding out about it on Monday,” he says.

“Across the industry, the time it takes from when the incident is first detected until we can talk to our customers needs to be shortened.”

Regularly testing the lines of communication your organisation would use in case of a crisis is a good first step, he says, to ensuring they remain clear and responsive in case of a real data breach.

Related News

Staying connected in the field
Liberate your workforce
Liberate your workforce
Staying connected in the field

We take a look at the collaboration technologies keeping geographically dispersed workers in touch with head office. Whether they’re on a remote site or going door-to-door vis...

colleagues on an iPad
Liberate your workforce
Liberate your workforce
Tip of the iceberg: Inside mobile threat detection

An integral part of our workplace, mobiles are being overlooked as a vector for cyber threat. In its Market Guide for Mobile Threat Defense Solutions, Gartner estimates that “...

Visibility, reliability: Future proofing Australia
Optimise your IT
Optimise your IT
Visibility, reliability: Future proofing Australia

Take a look at the changes underway in Telstra’s networks, as we bring our vision for the future to life. It’s no small feat to redesign infrastructure that connects millions o...

In the blink of an eye: The 5G era arrives
Optimise your IT
Optimise your IT
In the blink of an eye: The 5G era arrives

We’re on the cusp of a new era in mobile connectivity, which will radically change how we work. Discover what our 5G rollout means for your business. Australia is on the cusp o...