Companies must have an incident response plan to counter cyber reality
SMBs need to be proactive, put protocols in place in case of attack
By Rodika Tollefson, ThirdCertainty
The threat of serious and costly operational disruptions due to a cyber attack has senior executives at many organizations feeling ill at ease.
So a rising number of them have begun engaging their companies in cyber incidence response planning.
An incidence response plan takes a meticulous approach to managing the aftermath of any type of disruptive cyber incident.
It could be a network breach, insider data theft, denial of service attack or website defacement. In fact, the plan should define what constitutes a cyber incident and lay out specific steps for the tech staff, management, corporate communications and the legal department to take when an incident occurs.
Free resource: Planning ahead to reduce breach expenses
Incident response planning has become a red-hot topic among organizations seeking to proactively address cyber exposures.
An annual survey of risk managers by global insurer Zurich found that in 2015, 72 percent of more than 400 respondents had a data-breach response plan, an increase of 10 percentage points from the previous year.
“Companies are being asked by their boards what they’re doing, what they should be doing, and what they can be doing to be more protected,” says Siobhan MacDermott, a risk and cybersecurity principal at consultancy EY.
Planning gains traction
She says that a shift in incident response planning that began about 12 to 18 months ago—largely because of all the media attention on high-profile network breaches—is accelerating.
Another report, EY’s annual Global Information Security Survey, reflects the nascent nature of this trend. EY polled 1,755 C-suite executives from 67 countries in 2015. While 43 percent of respondents said they had a formal incident response program, only 7 percent had a robust program that integrated external vendors, law enforcement agencies and playbooks tested via regular tabletop exercises.
“The incident response plans are tiered depending on severity,” says Raj Dodhiawala, senior vice president of products and engineering at CounterTack, which provides endpoint threat detection and response.
Lighter weight incident response plans typically involve coordinating the efforts of IT staff and cybersecurity analysts focused on routine daily disruptions. For more serious incidents, experts from risk and compliance should be at the table, he says.
In fact, more comprehensive plans go beyond the tactical IT response to take a more strategic, all hands on deck approach. Continuous monitoring and detection gets factored in and parameters for gauging severity and prioritizing incidents get established. Rehearsals and drilling—akin to what first responders do to prepare for earthquakes and terrorist attacks— can be very valuable.
“It’s a lot easier to go through the (response) process once you have a plan in place and you’ve gone through the drill, than it is to think on the fly,” says EY’s MacDermott.
How to prepare for the inevitable
So what’s the first step?
Start by looking at the data—such as intellectual property and personally identifiable information—and the potential bad actors, MacDermott suggests.
“Understand and identify the most important assets you have—the crown jewels,” she says.
For small and midsize organizations, contracting expert help is a readily available option that should be explored.
Dodhiawala notes that a growing trend among SMBs is reliance on managed security services providers, or MSSPs. The MSSPs typically offer bundles that include end-to-end protection and monitoring, as well as incident response.
“Most small and medium-size companies don’t necessarily have the depth of security talent (in-house,)” he says.
By outsourcing incident response planning, the company can offload the burden of crafting a robust plan and rely on the service provider’s policies and procedures.