It’s no secret that organisations of all sizes face the threat of cyber security attacks.
With more employees working from home and in less controlled environments, 70% of companies expect these hybrid work models to exacerbate data breaches and their related costs (2020 Cost of a Data Breach report).
It goes without saying that organisations need to be prepared. A security incident response (IR) framework provides the necessary steps to contain, handle, and resolve cyber attacks.
Why you should care about incident response
Data breaches cost organisations $US3.86 million per attack, according to the 2020 Cost of a Data Breach report.
Organisations with neither an IR team nor testing of their IR framework face an average of $US5.29 million in breach costs. Companies with IR teams and test scenarios in place report $US2 million less in breach costs.
Which means that the IR team not only deals with the technical issues of the cyber attack but also significantly influences the financial aftermath of a data breach.
So how can your organisation get on top of an incident response plan?
The National Institute for Standards and Technology (NIST) has identified four steps that are crucial to a successful Incident Response Plan:
- Preparation
As with most things in life and business, the better prepared you are, the quicker you can react to unexpected events. If an incident is unfolding, your IR team needs to be ready on the spot, know their responsibilities and their authorities to make crucial decisions. In order to make that happen, a current plan needs to be in place, security technology tools at hand, and skills and training up-to-date.
- Detection & Analysis
The second step determines whether an incident has occurred, the type of data breach and how severe it is. According to NIST, this phase can be particularly challenging because incidents may be detected by different sources, such as automated detection systems or user reports. Some organisations receive millions of indicators of potential compromise per day, and it is very challenging to identify what to pay attention to, and what you ignore. As a consequence, the IR team members require immense technical knowledge and experience.
- Containment, Eradication, and Recovery
The purpose of this step is to contain the incident and minimise its impact on the organisation. Once the incident is under control, the IR team can identify the root cause of the cyber security incident and come up with a plan to deal with it. It is critical in this phase to document and record all processes for two reasons: being prepared for looming litigation and learning from the attack.
- Post-incident Activity
Lastly, a feedback meeting with people from across the organisation, including C-Level executives, is highly recommended to learn from the data breach and improve the organisation’s reaction to future attacks. Documenting the results of this meeting will significantly help onboard new staff and becomes an important training tool for the current IR team members.
Do you have an incident response framework in place?
If you are unsure or would like to get your data breach response checked, talk to one of our security experts today!
If you liked this article, you may also like:
Action plan: what to do when your devices are lost or stolen
Red Teaming: getting down to basics
What do you do after a data breach