Following on from part one of this three part series, this week we look at Incident Response…
2. Incident Response
Historically, too much IT security spending has focused on the prevention of data breaches, and not enough has gone towards preparing for the inevitable.
- Prevention alone fails: just read the data breach headlines making news on a weekly — if not daily — basis.
- Detection alone fails: consider the fact that the majority of incidents are detected externally by law enforcement such as the FBI, not internally by the victim organizations themselves.
- What’s left when all else fails? Incident response.
An established incident response plan is mandated by the NY Cybersecurity Requirements, and both the GDPR and NY requirements contain 72-hour data-breach notification mandates, which will require dramatic changes to the plans of organizations not accustomed to responding to security incidents within strict timelines.
How can you gauge your organization’s IR capabilities?
Consider the following questions:
• Do you have an incident response program in place?
• Are employees aware of what constitutes an incident to begin with, and how to report and manage an incident?
• Have you optimized the tools you’re using today to protect against and detect incidents?
• Has your program been updated and tested to support today’s cyber threats and compliance with breach notification requirements?
• Does the executive team know their role and what is expected of them?
• Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management?
• Does your plan include considerations for retaining forensic, and public relation firms that directly align to your cybersecurity insurance policy?
Professional services such as security program assessments can help organizations focus on their ability to detect and respond to security incidents, formally document the workflow required to triage and manage the incidents impacting the environment, and improve the processes that support current incident concerns. Compromise assessments help to determine if there has already been an incident or an incident is currently in progress. Additionally, interactive tabletop exercises and breach simulations — in conjunction with forensic and incident response “emergency services” partnerships — can also be of great value.
A comprehensive incident response plan will enable your organization to respond aggressively to an attack, maintain compliance, minimize damage and align defenses to mitigate future intrusions.
This blog was originally published by our Partner Forsythe. Join us next week as we look at the third and final step, third-party risk.