A serious security incident is a question of “when,” not “if”, says Rob McMillan, Research Director at Gartner.
The 2014 cyber attack on Sony Pictures Entertainment was a game changer. It was a very public example of an aggressive business disruption attack, which caused Sony to experience significant system disruption.
Such an outcome could have happened to many digital businesses and was a wake-up call for this type of attack. Although the frequency of an attack on this scale is low, it showed how an aggressive cybersecurity attack can seriously impact business operations.
Targeted attacks like this reach deeply into internal digital business operations, with the express purpose of causing widespread damage. Servers may be taken down completely, data may be wiped and digital intellectual property may be released on the Internet by attackers.
Your business must be prepared – an intrusion is inevitable for many organisations and preventative security measures will eventually fail.The question you must accept isn’t whether security incidents will occur, but rather how quickly they can be identified and resolved.
This reality of the digital economy makes effective incident response — that is, reducing the risk of incidents and mitigating the damage they cause — a top concern for security and risk professionals.
Why you must prepare
While incident response is a regulated requirement for organisations in some industries, the costs of preparation for any company can be surpassed by the hundreds of millions in damages and recovery expenses that follow an intrusion. Along with bad press, the aftermath is littered with ransom payouts, fines, lawsuits and often increased operational expenses used to address system failures.
Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, up from less than 10% in 2014.
As critical as it may be to protect the business from the fallout of an intrusion, effective incident response allows an organisation to continue to pursue its objectives despite a disruption.
Resilience is the by-product of mature incident response practices. Incident response is one of the core processes that any security leader must define, develop, implement and prioritise to protect the enterprise and demonstrate security’s value to the business.
Following are three integral steps that should be considered:
- Develop your incident response process
Advance preparation is crucial to effective incident response, but it’s also extremely difficult, especially in complex, distributed enterprises. Adequate preparation will ensure that:
- You already know what the most critical assets are
- You are able to detect that an incident has occurred or is occurring
- A procedure is in place to resolve the incident and manage the consequences
- The people involved know what their role will be
- Prepare your people
You must be prepared to manage the totality of the impact, and not just the cause of it. A breach or intrusion reaches across an entire business, with partners, executives, remote business units and customers all affected.
The sudden transparency produced by an information leak requires an effective response capability that addresses the totality of the consequences across the organisation, not just the consequences on IT. You must develop the right expertise to lead the organization’s response to a security incident.
- Implement operational response
Security operations are evolving with greater recognition that traditional approaches of protecting the perimeter and investing in prevention capabilities are inadequate, in light of today’s persistent and advanced attacks.
The failure of traditional preventative techniques has had two important impacts:
- Organisations are retooling their security architectures to improve their detection, response and, ultimately, their predictive capabilities.
- Organisations now recognize that “incidents” are not just a point-in-time issue, but rather a continuous problem for IT to confront.