Incident response: How not to do it
We all spend a lot of time in money working to prevent attacks. We are constantly updating our tools and techniques, raising awareness and being on the lookout, but too many of us are not preparing for when an attack eventually happens.
The number of U.S. data breaches tracked in 2015 totaled 781 – even more than in 2014, which was dubbed, “the year of the data breach.” Most experts are warning companies that it is a factor of “when” not “if” your company gets breached; fortunately, companies are listening. A survey from PWC found that not only do a majority of companies have an executive in charge of security, but 46% of survey respondents said their Board participates in information security budgets.
While companies are (finally) investing in prevention, we now need to push the importance of having an incident response plan to accompany the prevention plan. A recent survey from Ponemon Institute shows that 79% of security executives reported that they aren’t prepared for a cybersecurity incident even though another Ponemon report found that companies worldwide that had an incident response team spent about $12.60 less per record on average on response and mitigation costs compared to those that did not have one.
Incident response mistakes
As you can see above, not having an incidence response plan is one of the biggest mistakes, but having a plan isn’t enough; you need you have a good plan. Here are a few mistakes to avoid:
Ignoring signs
Your incidence response plan should include exactly what kind of incidences you need to respond to. What signs should be an indication that you need you investigate? Ignoring small signs can lead to big problems. Home Depot’s 2014 data breach was blamed largely on the Senior Architect for IT Security who was convicted of sabotaging the companies network by ignoring lenient security controls and processes. While Target’s 2014 data breach was not blamed one person, the breach is reported to have been a result of the security team not immediately responding to a threat.
Declaring a threat resolved too soon
Hackers are a lot more sophisticated than they once were and can embed themselves in many places in your system quietly. If you find one backdoor, don’t assume you have found the only way an attacker is getting into your system; not understanding the scope of an attack is a major incident response mistake. You need to understand how big or small an attack is to respond correctly and fully.
Not getting legal involved early
Data breaches are more than a security problem; they are a legal problem and anyone who watches the news or follows politics knows that the legal system does not move as fast as security and especially not as fast as hackers. Legal should be one of the first calls you make during incident response so they are aware and can advise you as soon as possible.
Effective incident response is all about preparation. You need to ditch the “it won’t happen to us” mentality and plan for all incidents big and small.
