It’s already too late: Plan cyber security incident response now

The value of an incident plan does not depreciate or become obsolete when a cyber security incident is over, and its value is in its function in the greater scheme of business continuity.
Read time 4min 40sec

It’s not a matter of if, but when your business will come under attack from hackers. 

There is a cyber security hacking attempt every 39 seconds. Approximately $6 trillion is expected to be spent globally on cyber security this year, and furthermore, since COVID-19, the US FBI has reported a 300% increase in reported cyber crimes.

The advent of the pandemic resulted in an increased global dependence on the cyber industry. With cyber attacks reaching unprecedented numbers this year alone, the importance of pre-emptive cyber incident response (IR) planning has been brought to the forefront.

The financial implications of these data breaches that are a result of victims who decided to pay ransomware ranges from loss of revenue and brand denigration due to customer mistrust, to an inability to recover from the attack.

What is IR planning, and how do you do it?

IR is defined as taking the steps necessary to prepare for, detect, contain and recover from a cyber security incident. An IR plan entails the following:

  • The activities required in each phase of IR.
  • The roles and responsibilities for completing IR activities.
  • Communication pathways between the IR team and the rest of the organisation.
  • Metrics to capture the effectiveness of IR capabilities.

It is important to note that the value of an IR plan does not depreciate or become obsolete when a cyber security incident is over.

It continues to provide support for successful litigation through the availability of documentation that auditors may need, as well as historical knowledge to feed into the risk assessment process and improve the IR process itself.

Why is an IR plan important?

The value of an IR plan is in its function in the greater scheme of business continuity. As IR is not limited solely to the technical sphere, the plan must be designed to align with any organisation’s priorities and levels of acceptable risk.

The information gained through the IR process can be used to feed back into both the risk assessment procedures and the IR activity itself, to ensure better handling of future incidents and an overall stronger security posture.

It is astonishing to note that a large majority of organisations either don’t have an IR plan, or have one that is underdeveloped.

When any party − be they investors, clients, the media, or auditors − ask about an incident, a business with an effective IR plan can validate its actions in the wake of a cyber attack.

Cyber IR plans should be reviewed on an annual basis. It is astonishing to note that a large majority of organisations either don’t have an IR plan, or have one that is underdeveloped.

According to a survey by Ponemon, 77% of respondents say they lack a formal IR plan that is applied consistently across their organisations, and nearly half say their plan is informal or non-existent. Among those who have plans in place, only 32% describe their initiatives as ‘mature’.

These figures are especially disturbing, considering that many organisations will take weeks or months to resolve cyber incidents. The Ponemon study reveals that 65% say the severity of the attacks being experienced is on the rise.

It is crucial to understand that speed is an essential factor in limiting damage. The more time attackers have inside a victim’s network, the more damage they can inflict. An IR plan can limit the amount of time that attackers have by ensuring responders understand the steps they must take and have the tools and authority to do so.

What are the appropriate IR steps?

According to the US’s National Institute of Standards and Technology (NIST), computer security incident response has become an important component of IT programmes.

It advises that because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. The NIST notes there are four key phases to IR, namely:

  • Preparation: No organisation can spin up an effective IR on a moment’s notice. A plan must be in place to both prevent and respond to events.
  • Detection and analysis: The second phase of IR is to determine whether an incident occurred, its severity, and its type.
  • Containment and eradication: The purpose of the containment phase is to halt the effects of an incident before it can cause further damage.
  • Post-incident recovery: A ‘lessons learned’ gathering of all parties involved in the IR should be mandatory after a major incident, and desirable after less severe incidents.

Regarding this last point − think of recently publicised breaches that remained in the headlines for weeks and then ask some pertinent questions.

For example, was the company notified of the breach well in advance but failed to act? Did the company’s public communications downplay the severity of the incident, only to be exposed for this through further scrutiny?

Were communications with affected individuals poorly handled? Or worse, did they result in greater confusion?

These are telling signs that point to organisations without an IR plan.

In my next article, I will set out best practices in IR planning, including IR planning in the cloud and why no plan can be formulated that does not factor it in.

Edison Mazibuko

Technical director, DRS – a Cyber 1 company.

Edison Mazibuko is technical director at DRS – a Cyber 1 company. He began his journey in the cyber security industry as a security engineer and has worked in the sector for over a decade, occupying various roles.

Mazibuko holds a BTech Degree (UNISA) and holds a number of cyber security certifications, including Certified Information Systems Security Professional (CISSP) and The Open Group Architecture Framework (TOGAF).

Passionate about cyber security, the environment and emerging technologies, he serves as chairperson on the fourth industrial revolution committee of an NGO that aims to unlock the green economy in Southern Africa. This committee is tasked with advising the board on the disruptive technologies shaping digitalisation.

He was appointed as technical director at DRS – a Cyber 1 company and cyber security services and products organisation − in 2020. Having previously worked in the banking sector, his current role is to assist organisations in both the private and public sectors with their cyber security maturity journey.

See also