Your business experiences a data breach. What happens next?
If you don't know, you’re probably lacking a proper incident response plan. Incident response is a pre-planned approach to how your organization will manage a prospective security breach. The goal of an incident response plan is to reduce damage, recovery time and costs caused by a cyberattack.
In a recent survey from IBM, "The Third Annual Study on the Cyber Resilient Organization,” 77% of respondents admit they don't have a formal incident response plan applied across their organization, and nearly half say their plan is informal or nonexistent.
Yikes! Let’s take a look at the obstacles preventing more companies from creating incident response plans and what steps you can take to get a plan set up yourself.
False Confidence in Security
The IBM study had researchers survey more than 2,848 IT and IT security pros from around the world. According to Kelly Sheridan of Dark Reading, nearly half (48%) of respondents rate their "cyber resilience" as high or very high, an increase from 32% one year prior. IBM researchers define cyber resilience as "the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyberattacks."
While businesses have more confidence in their cybersecurity, the actions they’ve taken to improve their cybersecurity tell a different story. Ted Julian, Vice President of Product Management at IBM Resilient, explains:
“Respondents are saying they're feeling more confident about their cyber resilience, yet when you look at the details of the components that would create good cyber resiliency, they didn't score nearly as well."
According to IBM, the components of excellent cyber resiliency include:
- Skilled cybersecurity talent
- Information governance practices
- Formal incident response plan across the company
- Technologies addressing the severity and volume of attacks
- Sufficient funding
- Senior management support
- Visibility into data and applications.
Organizations might feel like they’re taking enough security precautions, but many small businesses struggle to get each component properly integrated.
In the study, one reason businesses gave for not having a proper incident response plan is talent (or the lack thereof). Hiring has become a significant obstacle for many organizations. In fact, 77% of IT pros rated the difficulty in hiring and retaining skilled security talent as very high, while 79% stated the importance of having skilled security pros in an incident response plan was "high.”
Incident response experts must have a broad range of skills which makes them hard to find.
Julian emphasizes with the struggle to bring in talent:
"It's notoriously difficult, both to keep these people and to find them. People with incident response skills are in extremely high demand … it's a diverse, hard-to-find skill set that exacerbates this talent crunch."
The second obstacle preventing businesses from having a proper incident response plan is budget. Budget concerns hold companies back from investing in technologies like artificial intelligence and machine learning. AI can automate critical aspects of incident response which allows for security experts to prioritize and give more attention to more complex tasks.
Setting Up an Incident Response Plan
There’s a middle ground when it comes to creating an incident response plan. Julian notes that some businesses will institute a response plan that is too thin and won’t cover all the needed bases. Other companies, he said, will have a plan that is too dense and tries to cram every possible scenario into the single plan.
The proper plan is found somewhere in the middle. Each type of attack requires a specific response. For example, a stolen laptop needs a different response than a ransomware attack. Having a response plan in place for each of these possible incidents is necessary for every business.
According to the SANS Institute, there are six key phases of an incident response plan. Use these steps as a framework for when you develop your company’s plan:
- Preparation: Ready users and IT staff to handle potential incidents should they arise
- Identification: Determine whether an event is, indeed, a security incident
- Containment: Limit the damage of the incident and isolating affected systems to prevent further damage
- Eradication: Find the root cause of the incident and remove affected systems from the production environment
- Recovery: Permit affected systems back into the production environment to ensure no threat remains
- Lessons learned: Complete incident documentation and perform analysis to learn from the incident and potentially improve future response efforts
Work with your IT team to formulate a plan for your organization. For a more thorough walkthrough of what you will need to address in your incident response plan, use this how-to guide from CSO Online.
Once you’ve created an incident response plan for each phase, it’s vital that you test them. Run practice drills where your team is faced with an incident and must go through the motions of executing the plan.
When an incident does occur, you’ll know what to do.
Written by Nik Vargas