The majority of organisations are not following incident-response best practices and are ill-prepared to face the challenges of today's advanced cyber threats.
That is one of the key takeaways from a new global breach readiness survey conducted by RSA, the security division of EMC. The study covered 30 countries, including SA, and compared those global results with a survey of the Security for Business Innovation Council (SBIC), a group of top security leaders from the Global 1000.
Using the SBIC as a benchmark, the survey report provides quantitative insights into real-world security practices and highlights gaps in technology and procedure as well as prescriptive advice from the SBIC for how to best close those gaps.
The survey focused on measures within four major areas of breach readiness and response - incident response, content intelligence, analytic intelligence, and threat intelligence. The results suggest organisations continue to struggle with the adoption of technologies and best practices that will allow them to more effectively detect, respond to, and disrupt the cyber attacks that turn into damaging breaches.
Organisations are still too reliant on the tools and technology to detect and prevent incidents from occurring and they have yet to fully invest in the people and processes that support an orchestrated method for detecting and responding to incidents, says Julie Ferreira, senior accounts executive at RSA Southern Africa.
"Security vendors are partially to blame as each new security 'tool' claims to offer the greatest protection and prevention capabilities so that organisations are not prepared when these tools fail to detect new attacks," Ferreira notes.
She adds that not all security incidents can be treated the same and different response methods need to be considered depending on the context of the incident.
For instance, she explains, an internal employee trying to steal data requires a forensic approach to handling the incident so as not to damage any potential chain of custody evidence. "A simple malware infection may seem benign but without utilising a best practice approach to handling the incident, important aspects may be overlooked that could indicate a much large security incident at play."
According to Ferreira, the National Institute of Standards and Technology (NIST) has produced a great publication (NIST SP800-61) as a guideline and best practice for incident management.
"An incident best practice typically consists of a documented method for detecting incidents and categorising security incidents. This can be via alerts generated through security tools or anomalies detected on the network."
She believes that based on the category of the incident, an organisation then needs context to determine the priority of the incident; for instance, is it a critical server infected with malware or a user's home machine that they have brought onto the network?
"As a best practice for incident response, organisations need to ensure they have an up-to-date catalogue of IT assets, their IT function, supporting business role and relevant owners."
RSA notes incident response is a core capability that needs to be developed and consistently honed to effectively face the increasing volume of cyber attack activity.
The survey results indicate that while all leading-edge SBIC members have developed an incident response function, 30% of large organisations surveyed do not have formal incident response plans in place. Furthermore, of those that do have a plan, 57% admit to never updating or reviewing them.
"Organisations are struggling to gain visibility into operational risk across the business. As business has become increasingly digital, information security has become a key area of operational risk and while many organisations may feel they have a good handle on their security, it is still rarely tied in to a larger operational risk strategy, which limits their visibility into their actual risk profile," Ferreira concludes.
Share