Given the proliferation of security breaches across all industries, the prevailing wisdom in the cybersecurity community is that you must assume your organization will be breached at some point in the future. In this context, emphasis has been placed on the development of incident response procedures. Effective incident response inherently depends on four components: training, communication, technology, and disaster recovery. Any weaknesses in these components can greatly hinder an organization’s ability to detect, contain, and recover from a breach.
Although addressing these four areas in the context of incident response procedures will not guarantee a successful response, neglecting them can result in failure to effectively manage the risks associated with a cybersecurity incident. Let’s take a closer look at each of these four components.
In addition to making sure that the incident response team is properly trained to handle a cyber incident, company leaders must conduct appropriate training across the organization so that employees can be the first line of defense for incident identification. A receptionist might notice a suspicious visitor. A support specialist might receive an abnormal request. Anyone in the organization might receive a malicious email. Expectations for how to respond to these types of situations should be defined from the outset and reinforced periodically through additional training and testing.
In a breach scenario, communication takes place both internally and externally. Internally, the incident response team quickly needs to communicate a suspected incident to management and peers. A variety of teams, possibly diverse in skill sets and locations, needs to coordinate containment activities. Leadership needs to communicate with the entire organization to ensure that employees are aware of the situation and act accordingly.
External communication is also important. Vendors and support organizations may need to be contacted to assist at any phase of incident response. Law enforcement may need to be briefed. And of course, there is the public disclosure of a confirmed or suspected data breach. Don’t forget: 47 states have breach notification requirements, so make sure that you are aware of any regional communication requirements.
Accurate and effective technology solutions are necessary to collect, store, and process log and alert data. Security event logs can be crucial for the identification, containment, and post-mortem analysis of a cybersecurity incident. Incomplete or inaccurate log data can make an effective incident response very difficult or – at worst – make it completely impossible. These logs should be collected and processed at all levels: network, system, and application. Security alerts based on logs and system activity are possibly the best way to identify an incident and, with a little luck, respond before any damage is done.
This final area is arguably the most vital component of incident response. Once the dust settles and the immediate risk has passed, you will need to quickly get systems fully operational. Business continuity procedures are also essential to keep the business functioning in the midst of an incident. In the end, the effectiveness of threat identification and containment is irrelevant if the resulting damage cannot be fixed.
Although training, communication, technology, and disaster recovery are probably addressed in some manner or another in all mature organizations, reframing these topics in terms of a cybersecurity incident response can provide new perspective and be useful in helping you to spot weaknesses in current procedures. Consider taking another look at your incident response plan and asking yourself, “Is my organization really prepared to respond to a security breach?”
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal