alphaspirit - Fotolia
Nearly 80% of organisations remain unprepared and without a formal plan to respond to cyber security incidents, a report has revealed.
Based on data from 24 security operations centres, seven R&D centres, 3.5 trillion logs and 6.2 billion attacks in 2015, the GTIR shows that on average, only 23% of organisations have the capability to respond effectively to critical security incidents.
The lack of improvement was further underlined by the finding that nearly 21% of vulnerabilities detected in client networks were more than three years old, while more than 12% were over 5 years old, and over 5% were more than 10 years old. Results included vulnerabilities from as far back as 1999, making them over 16 years old.
“Prevention and planning for cyber security incidents seems to be stagnating,” said Garry Sidaway, vice-president of strategy and alliances at NTT Com Security.
“This is a real concern and could be due to a number of reasons, such as security fatigue caused by too many high-profile security breaches, information overload and conflicting advice in combination with the sheer pace of technology change, lack of investment and increased regulation.
“Facing security challenges that didn’t exist last year, let alone a decade ago, and struggling with a shortfall in information security professionals, many organisations no longer have the necessary skills or resources to cope. Our mantra is prevention is better than cure and get the security basics right, including having a clear, well-communicated incident response plan.”
Read more about incident response
- Professional incident response providers can quickly bring the additional resources and the expertise that companies often need to handle a rapidly unfolding threat.
- Planning and foresight are essential to any cyber security incident response plan. Follow these steps to make sure you are ready for a data breach.
- Organisations hit by cyber attacks often lack an effective incident response plan. Why are so many unprepared?
Spike in insider threats
Although financial services was the leading sector for incident response in previous annual GTIR reports, the retail sector now takes the lead, with 22% of all response engagements, up from 12% the previous year. But retail – a popular target due to processing large volumes of personal information such as credit card details – also experienced the highest number of attacks, the report shows.
The report shows an increase in breach investigations to 28% in 2015 compared with 16% the previous year, with most incidents involving theft of data and intellectual property.
Internal threats jumped to 19% of overall investigations – from 2% in 2014 – with many of these the result of employees and contractors abusing information and computing assets.
Spear phishing attacks accounted for approximately 17% of incident response activities in 2015, up from 2% previously. Many of these attacks related to financial fraud targeting executives and finance personnel, with attackers using clever social engineering tactics, such as getting organisations to pay fake invoices.
Despite the rise in distributed denial of service (DDoS) hacking groups like DD4BC, the GTIR noted a drop in DDoS related activity compared with the previous two years. This is likely to be due to an investment in DDoS mitigation tools and services, the report said. However, the report also said extortion, based on payments by victims to avoid or stop DDoS attacks, had become more prevalent.
Incident response recommendations
NTT Com Security made four recommendations for incident response:
- Prepare incident management processes and “run books”.
Many organisations have limited guidelines describing how to declare and classify incidents even though these are critical to ensure a response can be initiated. Depending on the type of attack, potential impact and other factors, response activities will be very different for each. Common practices for incident response also suggest organisations should develop “run books” to address how common incidents should be handled in their environment.
- Evaluate your response effectiveness.
When incidents occur the last thing you want is to lack an understanding of standard incident response operating procedures. Evaluation of preparedness should include regular test scenarios. Consider post-mortem reviews to document and build upon response activities that worked well, as well as areas needing improvement.
- Update escalation rosters.
As organisations grow and roles change, it is important to update documentation related to who is involved in incident response activities. Time is critical to incident response and not being able to quickly involve the correct people can hamper your effectiveness. Updating contact information for suppliers such as external incident response support and other providers is just as important.
- Prepare technical documentation.
To make accurate decisions and identify impacted systems, organisations must have comprehensive and accurate details about their network.