Seven nation army

Incident response preparedness is an integral part of every organization’s cybersecurity program. Not only does building an incident response plan help an organization respond to an incident when one occurs, but it also—and potentially more importantly—helps the organization understand where it is weak, where it is strong, and provides an opportunity before an attack hits to bolster controls and processes that may be lacking.

Creating an incident response plan is a cross-functional project aimed at bringing areas of the business—not just security and IT—together so that all parties are on the same page as it relates to cybersecurity incidents. Because an incident could impact the entire organization (e.g., broad-based system unavailability or missing, stolen, or altered data), and no one department owns all organizational data, nor is security generally allowed to dictate who can generate data, with whom they share data, or even how they interact with data (Google Docs or Dropbox, anyone?), it’s important for business unit heads to be involved in incident response planning. Security’s job, of course, is to secure data and systems, but in practicality it takes a village. Security teams can lock down access to sensitive data (which it knows about) and can even prevent certain data from being downloaded or transferred out of its assigned storage, but if an authorized person has his or her legitimate access compromised through phishing or malware, or if that person has shared his or her credentials with an unauthorized person, keeping a malicious adversary away from company-proprietary information becomes exponentially more challenging. Hence, the incident response plan.

I’m gonna fight ‘em all

Knowing how to act and who is involved when a security incident is declared is equally as important as implementing your finest preventative and detective measures. Because, unfortunately, intrusions happen, if an organization fails to appropriately respond to an incident, the consequences could stretch far beyond lost or stolen data, which is severe enough in its own right. Yet few organizations thoroughly think through the ramifications of improperly handled data during a forensic investigation; failing to, in a timely fashion, report a breach when required to do so by law or compliance; or inadvertently disclosing certain parts of an investigation, especially those bits that may be best handled by independent legal counsel.  

Reading this, it might seem obvious that all those steps (and more) must be taken, and taken in the correct order with appropriates parties’ involvement. However, only 29% of companies report having an updated incident response plan at all.

A seven-nation army couldn’t hold me back

Why do organizations continually put off constructing, practicing, and updating incident preparedness and response plans? Because security teams are caught in a reactive, technology-focused cycle where responding to alerts and reading up on the latest exploits is modus operandi. True enough, it’s hard for security teams to get ahead of the curve when there’s so much data and so many systems to be secured, when shadow IT persists, and when users do the darndest things.

However, sitting down to collaborate with IT, HR, legal, marketing and communications/PR, and operations teams, along with the CEO and possibly members of the board of directors to develop an incident response plan—which is, in actuality, a way to assess your organization’s preparedness—will force security into proactivity. In the short term it might mean extra work on an already full plate. In the long run, though, refining and modernizing an already-outlined incident response plan will help the entire company identify current gaps in technology, processes, and policies that will prevent some of the more egregious incidents.

I’m gonna serve it to you

Further, regularly reviewing the incident response plan will highlight what outside resources are necessary, such as relationships with law enforcement, incident responders, and forensics investigators. Though your organization may be expert in its people, data, processes, culture, and more, these outside specialists handle cybersecurity incidents every day (which, hopefully, you do not) and can ensure your company, when already in a sticky situation, isn’t further complicating measures by breaking chain of custody or missing important steps in the response process.