Incident response has entered a new era. With cybercrime growing a stomach-churning 600%, IBM’s Cost of Breach data indicates a $10.5 trillion price tag by 2025. From stealing sensitive data to causing operational downtime, lost business, and permanent reputation damage, hackers have become emboldened by big returns and nearly zero prosecution. With attacks on the Internet of Things (IoT) predicted to double in the next four years, there is no industry that’s safe from the endless endpoints that hackers prey upon. In other words, it’s no longer a question of “if”, but rather “when” your organization will face a compromise.
While defensive measures matter greatly to help thwart an attack, so do Incident Response Plans (IR Plans) that respect the undeniable fact that cyber criminals are effectively breaching everything from small businesses to the world’s largest corporations with devastating results.
Let’s dig into how IR Plans can make a critical difference to your organization…
Get serious about cyber defense.
Days To Dollars: Realization & Response Rates Determine Costs
According to IBM, it takes organizations an average of 279 days to become aware that they’ve been a victim of a malicious incident and to contain it. This “breach lifecycle” has a direct impact on costs to the organization, which, while heaviest in year one, have been documented to last for years after an incident, with as much as 39% impacting year two, and 11% in year three.
Among the most significant cost-cutters to a breach is an Incident Response Team with regular response practice. IBM’s study showed an average savings of $2M for such organizations, and additional savings for those with security automation. In fact, an average of $1M is saved by organizations who catch and contain a breach in less than 200 days compared to those who take longer.
Incident Response Preparation
With the aforementioned data, it’s no wonder cyber security budgets are projected to have increased over 70% between 2022 and the end of this year—and that’s across all sectors and organization sizes. So whether you’re a smaller manufacturing start-up or a large healthcare enterprise, developing a strategy and rehearsed steps to manage malicious cyber incidents will help your team respond in ways that significantly reduce damage and costs.
So where to begin?
1. UNIFY a response team to create a collaborative foundation that spans departments and technology functions. As Eric Ahlm, Senior Director Analyst at Gartner, indicates, the IR team can include external consultants where internal expertise may be lacking, but the team lead coordinating efforts and personnel should be internal, both for logistical reasons that Ahlm refers to as being able to “rapidly and effectively vault the silo walls,” as well as for protecting highly sensitive internal data.
2. DEFINE a team mission, roles, and responsibilities that specify the group’s purpose, delegate preparation and response duties, and depict a chain of communication and reporting.
3. MONITOR threats that focus on what is truly addressable. As Ahlm points out, your IR Plan should only include risks you have the ability to detect. Once detected, they should be escalated to the IR team lead. All incidents should be funneled in a company-wide culture of reporting, since seemingly minor incidents may be related to other reports, pointing to a more serious threat.
4. DETERMINE & DECLARE incidents by type, such as a web attack, impersonation/spoofing, device theft, etc., as well as at what threshold a particular incident is deemed worthy of team intervention. This will trigger initiation of your IR plan. Obviously, the team wouldn’t leap into action for every malicious email on the company’s server, but the IR team may deem a repeated/persistent effort to use email to attain company assets as worthy of escalating, especially when the potential negative impact to the organization clearly warrants.
5. CONTAIN, MITIGATE, & RECOVER from an incident following a predefined playbook. Flowcharts are helpful in this instance to depict action sequences based upon different facts or outcomes. For instance, if a malicious act is still underway, immediate efforts to block further negative impact should occur, while attempting to capture information on the adversary. Once contained, or if discovered after the malicious event, the mitigation phase can address exposed data, lost or damaged devices, resuming technical functions and/or business operations, while recovery attends to legal, human resource, and public relations implications with all relevant stakeholders, internal and external.
6. DEBRIEF your incident with your IR team to learn from the experience, making adjustments to roles, responsibilities, resource allocation, and playbook to step up your response for the next time. (Yep, there will be another one some day.)
7. TEST & REFRESH your Incident Response Plan—every step, every communication pathway, with every team member. The threat landscape shifts, as do personnel, so update your IR and drill your team to keep everyone prepared with a relevant and swift response. This will enormously increase the chances of the plan making a positive difference when the time comes, and one that could save your organization from far greater costs financially, operationally, and reputation-wise.
8. VALIDATE your response plan to learn whether your IR is up to snuff in a real-world scenario, which brings us to…
Preparation Includes Partnership
A team of trusted external experts using comprehensive simulation methods, like a robust Red Team Assessment or Incident Response Tabletop Exercise can put your Incident Response Plan and team to realistic tests—ones that expose vulnerabilities in time to shore them up. On the prevention end, year-round Vulnerability Management with 24/7-365 on-demand scanning, can help head off emerging issues that pose a threat to your environment before they become full-blown incidents.
To explore affordable assessment options with a true security ally, visit www.baisecurity.net and email us or set up a time to chat about your upcoming IT Security Assessment, HIPAA Security Risk Assessment, Controls Audit, or other security assessment needs.