Most firms are not as prepared as they should be for responding to cyber attacks, says e-discovery firm Guidance Software.
But with sensible reviews of processes and communications strategies, up to 70% of firms could put themselves on a much better footing, said Nick Pollard, the firm’s senior director of professional services.
“The cost of mitigating and recovering from any attack is far less when incident response plans are well practised,” he said.
The problem is that not all companies have well-defined incident response plans, and even if they do, staff are not regularly drilled to ensure the plans work and everyone knows what to do.
“If people do not know which systems to shut down in which circumstances, the impact of incidents can be longer lasting and more costly,” said Pollard.
Incident response planning and testing
Only a joined up approach to incident response that is as thoroughly practised as fire drills will be effective in minimising the damage of cyber attacks and the time to recovery.
Failure to do so, he said, typically results in confusion and panic by managers, but all too often the focus of incident response is on technology rather than policies and processes that conform to best practice.
more on incident response
- Government launches cyber incident response scheme
- Developing an incident response plan of attack in the data age
- Incident response template for effective incident response planning
- Formulate a more effective information security incident response plan
- Incident management systems vs. emergency notification systems
- Royal Holloway 2012: An incident response process for armoured malware
- Top incident response steps: Incident response team responsibilities
- Opinion: Evolution of incident response
Security testing, like penetration testing, also tends to be done in isolation, and consequently incident response plans are designed around individual vulnerabilities rather than protecting business processes.
However, recent high-profile cyber attacks have helped to raise awareness of the potential impact on businesses, said Pollard, especially in terms of reputational damage if customer data is accessed.
In the past six months, he said, national utility suppliers and financial sector companies in particular have been paying increased attention to incident response capabilities.
User security awareness training is an important element of that, said Pollard, as staff are often the weakest link because attackers are so adept at using social engineering to bypass security controls.
“Employees need to understand that they have a responsibility to keep data safe; if they don’t, attackers will always be able to get around any authentication system by tricking or manipulating users,” he said.
Successful user awareness programmes typically remind users of their data security responsibilities on a regular basis through posters, newsletters, roadshows and audits, said Pollard.
“Audits provide a useful way of assessing employee understanding of the technologies they use and ensuring the incident response processes are adequate,” he said.
Staff are often the weakest link because attackers are so adept at using social engineering to bypass security controls
Regular drills and reviews ensure that processes remain up to date and that incident response remains robust even if there is a high turnover of staff.
Outsourcing is another area that is commonly overlooked when it comes to incident response, said Pollard, with many organisations tending to rely on contractual terms for robust security.
Organisations should assess very carefully how outsourcing could affect their ability to mitigate and recover from cyber attacks, he said.
Although data security is beginning to enjoy greater attention, Pollard believes society has yet to adapt fully to the rapid adoption of technology in the past 20 years.
“People are quick to embrace technology, but many still live in the old world of trust and have failed to accept the danger and adopt the necessary practices to keep data secure,” he said.