Security Think Tank: Incident response – prepare, test, and test again

What does a good information security incident response plan look like?

It is not a question of “if” but “when” with regards to a data breach. 

An excellent and reputable Data Breach Investigation Report (DBIR), prepared by Verizon on an annual basis, includes a powerful quote on the opening page: “Some organisations will be a target regardless of what they do, but most become a target because of what they do.” 

I would like to add: “Organisations will recover from targeted attacks proportionally to their incident response preparedness.”

The key objective of any post data breach activity is to stay calm, be as honest as possible and always over-communicate to key stakeholders, such as regulators, law enforcement, customers and partners. Such a strategy may seem counter-productive, but experience shows that it pays off. 

Let’s look at two examples comparing a good and not so good execution. 

The first one is the well-known Target breach in 2013. The company responded quickly after discovering the breach and did not try to sugarcoat the messages. Compare this with RSA’s phenomenal targeted attack and subsequent breach. The latter company was very secretive about what happened and what impact the incident had on customers.

To achieve the objectives stated above, an organisation needs to have a well-defined, known and tested incident response plan. The last point is of significant importance, yet companies do not spend enough time and resources on testing. 

When a breach happens, the stress of the situation means that many mistakes are bound to be made if the drill is not “hard-coded” into people involved in the incident resolution. Companies need to look at well-matured disciplines for lessons learned, such as fire safety, which emphasises the fire drill.

Finally, I would like to draw attention to a cloud computing book by Raj Samani, Brian Honan and Jim Reavis, which talks about cloud-related incident response processes.

Vladimir Jirasek is managing director of Jirasek Consulting Services.

Read more on Data breach incident management and recovery