Cyber Attacks may seem like something that happen to other businesses, maybe you don’t think your business is a hot enough target, or that your IT department is handling it so all will be well. This sort of thinking can bring the smallest and largest of organisations to their knees. Effective Incident Response Management is a critical tool.
The 2021 UK Government Cyber Security Breaches Survey reports that 66% of business and 59% of charities have some formalised incident response management in place, which on the surface sounds good, a near majority. However when looking in to the specifics, the numbers actually include any organisations that have at least 1 of 7 possible responses to an incident in place in their organisation. Not as compelling a statistic now.
If (or often when) you suffer a security incident and/or data breach, how you deal with it in terms of detecting, responding, communicating and recovering will have a huge bearing on the level of impact to your business. Being prepared and practiced in advance is vital.
The NCSC defines a cyber incident as “a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990)” which highlights how susceptible most organisations are to an attack.
So how do we best protect ourselves you may be asking; this is where ensuring a robust Incident Response Plan is in place, one focused on recovery and getting the business up and running again, is vital. These plans are needed to protect data of all sorts, the reputation of your organisation, and also to build and maintain trust with customers and clients.
In our opinion every organisation should have a keen eye on Incident Response Management and have an Incident Response Plan and process in place that is easy to follow, can be initiated quickly, and is not reliant on detailed technical expertise to be effective. It is not practicably possible to have every possible threat scenario covered so a sensible starting position would be to always ensure that any Incident Response Plan or process be considered as a set of guidelines through which all threats can be managed.
When developing an Incident Response Plan there are 4 key areas of consideration to start you thinking, each of which can be developed in line with the specifics of your business by a Cyber Security specialist:
- How can I protect customer / personal / sensitive data?
- How can I best to detect and respond to incidents effectively and in a timely manner?
- How can I ensure appropriate communications & responsibilities are in place and understood?
- How can I get to a safe & effective resolution enabling a return to business as usual as quickly as possible?
Going a little deeper than these initial thoughts the focus for an Incident Response Plan is on a 4-stage process of:
- Detection & Analysis
- Containment, Eradication & Recovery
- Post-incident activity
To deliver the plan effectively in the event of an incident there will be a requirement for an incident response team, not dedicated solely to this task but built in to their roles depending on capability, role focus, department and enabling the delivery of the return to business as usual as quickly as possible.
According to the 2021 X-Force Threat Intelligence Index from IBM, human error was a major contributing cause in 95% of all breaches reported in their research. To this end people are key to any Incident Response process being implemented successfully. For employees, awareness of the threats is key, so there should be some investment in ensuring teams are up to speed with even basic information such as what might be an indicator of an attack or breach. A few examples would be a slow PC (even slower than usual), unexpected pop-ups, software update notifications, unexpected attachments and emails from people you know where the language is not quite right.
Referring again to the UK Government Survey it reports that training or additional staff communication is the most common response post attack or breach (19% in business and 26% in charities). Now if that’s the most common response we should all be concerned as it ultimately leaves around a third or more of charities and businesses doing nothing post attack. Further to this, the survey also shows that on aggregate the largest response is technical changes, which could suggest that fully investigating the root cause of incidents, or preventing people causing issues, again is ignored.
No organisation should underestimate the impact of awareness among its staff when considering cyber security. Workshops can really help and enable staff to feel a sense of ownership and togetherness around the topic and reinforce that there is no blame when it comes to cyber security attacks. The sophistication employed now often bypasses the best technologies, let alone humans who are working hard and focused on the job in hand.