Data breaches have become so common now that they’re almost expected. However, just because that’s the case doesn’t mean that they don’t have the potential to do tremendous damage. According to a recent report from IBM, the average total cost of a data breach is close to $4 million, and the average time to identify and contain a breach is 280 days.
Having an incident response plan in place is critical to prepare your organization in the event of a data breach or other cybersecurity incident. But just having one isn’t enough. Fine-tuning, and practicing your incident response plan is also crucial to being prepared for any cybersecurity incident. But, like any planning process, it’s easy to make mistakes along the way if you aren’t that familiar with developing a plan.
What are some common incident response mistakes that organizations make during the planning phase, and how can you avoid them?
Preparing for Successful Incident Response
Successful incident response depends heavily on preparation. So, how can you make sure your organization is ready?
There are three key areas you should focus on: planning; practicing; and identifying critical assets and data.
- Planning: Incident response plans keep everyone on the same page. They clearly outline who’s in charge, what resources are available, and what options there are for detection and containment. Having a process to follow will bring order to chaotic situations and keep everyone focused on solving the most critical problems. Planning to create the plan is the first step that must be considered.
- Practicing: Tabletop exercises allow you to run through many hypothetical scenarios to test the effectiveness of your incident response plan. Stakeholders from various groups within the organization will have a better understanding of their role in the incident response process by going through these exercises that mimic what could happen in the event of an actual security incident or data breach. Exercises will also identify deficiencies in your plan so you can continue to improve it.
- Identifying: Identifying critical assets and data helps organizations prioritize their focus. Once you know what those critical items are and where they “live,”, think through the potential threats against them and what concerns you’ll have during an incident. This will determine what controls you should implement to ensure those concerns are addressed quickly. This doesn’t always mean implementing a fancy new security product; sometimes it can be as simple as thoughtfully increasing the verbosity of your logs to include as much information as you can while keeping them from becoming unmanageable. This is often as simple as changing a configuration setting in whatever software programs you’re running.
Pitfalls to Avoid When Planning for Incident Response
Most of the issues organizations run into are due to assumptions they’ve made right before an incident occurs, when it’s too late to make a correction. You can often catch assumptions in the planning and tabletop exercise phases.
For example, one assumption is that IT administrators are typically prepared to manage and conduct a security investigation and response. The skills, training and mindset of an incident responder are different than even the most competent system administrator. If you haven’t provided your administrator with any specialized response training, your faith in his or her ability to investigate a security incident may be misguided.
Organizations also assume that they can depend on unknown, unvetted, third-party vendors. Organizations that have some form of cyber liability insurance are usually more susceptible to that mindset. They’re often in for a surprise when their insurance carrier refers them to a vendor that can’t arrive quickly, and when they do arrive, performs a sub-standard job at responding to the organization’s questions, concerns and needs. They’re then left looking for a second opinion, often at their own expense. Organizations should develop a relationship with a vendor they trust before a crisis, as opposed to relying on a vendor they’ve never met to help them during an emergency.
Have You Been Breached?
Your organization could be breached right now and you might not even know it. The first step is to be proactive. Don’t wait to find out about a breach from a third party or stumble on it a year later. Come up with ideas of what malicious actors may be doing on your network and start hunting.
For example, systems with the Remote Desktop Protocol exposed to the Internet are prime targets for attackers. Even if you have no alarm telling you that one of these systems has been breached, take a look for common indicators of compromise. You may be surprised.
Go out and do something with the information and resources you already have, even if it’s just going to each of their critical servers to check out what’s sitting in the Windows startup folder.
Summary
Security incidents are a business problem for people to solve. While technology is an enabler, it won’t investigate, scope, contain and eradicate an incident without smart people solving tough problems.
There may be chaos, confusion and anxiety if you’re in the midst of a cybersecurity incident. Everyone is going to want answers. Think about who you rely on for those answers and think about the tough questions that’ll be asked. The individuals who’ll need to provide answers to those tough questions need to be prepared with the right training and resources. The bottom line is, planning ahead can help you and your team avoid common incident response mistakes.
