Every second counts: The importance of incident response
FYI, this story is more than a year old
Cybersecurity incidents are becoming more targeted and more damaging to organisations every day. On average, targeted threats remained undetected in compromised networks for 380 days in 2017. Threats can interfere with business processes, compromise data integrity, and threaten an organisation’s reputation.
The Australian government has taken steps to make businesses more accountable in the event a breach occurs with the mandatory data breach notification scheme enacted in February. More recently, the NSW Government, in its 2018 State Budget, set aside $20 million to fix cybersecurity gaps in the public sector, the state’s auditor-general finding instances of “poor detection and response practices and procedures”.
Poor practices can leave organisations unprepared to respond to threats. On the contrary, effective incident response can give organisations the confidence required to handle threats. As the risk of data breaches are not going away anytime soon, effective incident responses that reduce the effect on standard business practices have become paramount.
Preparation is key
Incident response teams assist with developing and testing robust incident response plans. These plans are vital because they help manage cyber-attacks in ways that limit damage, increase stakeholder confidence and reduce recovery times and costs for organisations.
When plans are established, actions can be taken confidently and efficiently when a threat occurs. Organisations that are well prepared for an attack will be more collected and calm during an attack and better positioned for the aftermath.
Don’t contaminate the crime scene
Well intended, but inappropriate actions after an incident can destroy valuable evidence about how the attacker accessed the network and the extent of malicious activity. Disrupting this vital information can leave the organisation handicapped and unable to assess impact or prioritise future investment.
After an attack, the network must be treated as a virtual crime scene. Knowledgeable incident response teams who function like a virtual crime scene investigation team should be utilised for their expertise in navigating a digital crime scene, capturing evidence, and ensuring it remains intact and uncontaminated. Once this is performed correctly, vulnerabilities can be identified and rectified.
Being quick to react should not be the only goal of incident response, despite what the name implies. Many people associate the term “incident response” with recovery efforts following a major security breach. While incident response is crucial for an effective reactive approach, effective incident response should also be proactive and not just confined to major incidents.
Incident response teams will assist with a range of preventative strategies and detection activities to minimise the impact of threats before they happen. These can be built into the incident response plan to create a holistic incident response plan.
Through targeted hunting and threat intelligence, risks and threats can be identified and aggressively approached. Businesses can then manage identified risks and fix any critical security flaws. Cyber-attacks are often difficult to predict and more evolving every day. However, organisations must ensure they are taking every step possible to be protected.
Bring in a third-party provider
While internal teams are great for efficient and timely responses, third-party providers offer expertise with a broader scope of incident response activities. Using experience gained from working across various organisations, an external provider can help organisations guard against threats, identify and mitigate incidents.
While an organisation’s internal team may not have the experience with a specific threat, a third-party provider can provide insights and expertise on a broader range of attacks, and a greater understanding of the threat landscape.
Some benefits of getting a third-party provider involved are the fact that they may be better equipped and understand the applicable legal and regulatory requirements for an organisation’s industry.
Third-party providers will be across Australian standards established by the federal government as well as standards such as, Payment Card Industry Security Council, General Data Protection Regulation (GDPR) or mandatory data breach laws.
Third-party providers also assist in guaranteeing organisations are adhering to all legal requirements, by ensuring aspects that can be overlooked due to familiarity are identified.
Every second counts
Effective incident response is an important yet often overlooked requirement for enterprises in an increasingly digital world. Australian businesses are not immune to data breaches. The law now takes a harsh stance on businesses who fail to adequately respond to incidents that compromise customer’s privacy.
By being prepared at all stages of the incident response process, organisations can be reassured knowing they are in the best position to deal with and respond to a threat efficiently and effectively.
Article by Secureworks head of Incident Response, Jon Cooper.