In 2018, no executive that reads the papers can be unaware of the cybersecurity risks facing their organisation. With the size and frequency of data breaches increasing, companies should be prepared to handle one when it happens.
The best way to cope with a security incident is to hit the ground running. A well-structured, efficient incident response plan helps to contain a breach and limit the damage. It’s a playbook that tells you what to do, who will do it, when, and how.
Unfortunately, these playbooks are scarcer than you might think, NTT Security has found. We surveyed 1350 non-IT business decision makers when preparing our 2017 Global Risk:Value report on companies’ attitudes to cybersecurity and saw some concerning results.
We found that only 48 per cent of respondents had an incident response plan. 31per cent companies were in the process of implementing one, and 10per cent were still writing it. One in ten companies either didn’t plan to implement one or didn’t know whether they had a plan or not (which is as bad as not having one at all).
Designing incident response
What does such a plan look like? At a high level, GCHQ’s National Cybersecurity Centre provides a guide to incident management as part of its ‘10 Steps to Cyber Security’ guidance.
It discusses the need to establish an incident response capability and provide specialist training across a range of technical and non-technical skills. This will be especially important when detecting and containing a cybersecurity threat, stopping it from spreading further.
The government’s guidance also makes a point of defining the required roles and responsibilities, which is one of the most important components of all. A team is only as good as its players.
To be truly effective, an incident response plan must be multi-disciplinary. When a breach occurs, a company must mobilise not only its technical staff to contain the problem, but also its legal team to assess corporate liability and potentially advise on forensic data gathering.
Other parties must be involved, too. Compliance experts must ensure that the organisation covers its regulatory bases, which will be an even more important component in 2018 when GDPR’s strict data protection and data breach notification measures come into play.
Marketing communications executives must handle crisis management and notify other key stakeholders outside the company. Human resources must explore how staff followed policies in the breach (or didn’t), and refine those policies while potentially applying disciplinary measures. Financial staff must assess the monetary impact, and let’s not forget customer service executives who must handle irate customer queries at the ‘sharp end’ of the problem.
Other aspects of a robust incident response plan according to UK government guidance include establishing a data recovery capability, which can be especially important in ransomware cases.
All eyes on the issue
To marshal all these departments and more, an organisation needs C-suite support. Board-level executives must appreciate and buy into the need for cybersecurity preparedness, and allocate the appropriate financial and human resources to support them. Here, at least, the organisations in NTT Security’s report seemed to be giving the matter executive attention. They allocated responsibility to executing the incident response plan evenly between the CEO (23 per cent), CIO (21 per cent), CISO (22 per cent) and COO (21 per cent).
Your incident response plan will help you to get ahead of a breach should it occur, but it isn’t the only part of your cybersecurity toolbox. If you can prevent security incidents with a broader information security policy, then you hopefully never need to pull that incident response team together for active duty.
The security policy is a range of preventative measures that employees can take to minimise the risk of data loss. Components of this plan should cover everything from acceptable use of computing resources through to proper data encryption procedures, and everything in between.
Executives should communicate the broader security policy to everyone, because all employees play a part in supporting it. Your incident response plan may be your blueprint for responding, but your security policy defines how you act to protect yourself, each minute of each day.
This, too, is something that companies could do better at. 79 per cent of those with a documented security policy communicated it to everyone in the organisation. That sounds promising, until you realise that just 56 per cent of companies had created such a policy in 2017. This leaves many companies with untrained, unaware employees who become potential weak links in the infosecurity chain.
Now is the time to get ahead of this issue by drawing together key executives and ensuring that both these policies are locked and loaded. Then, drive your security policy throughout your business culture, getting all employees on board. In this security climate, they are two of the most important documents in your business.