Regardless of a company’s size, having the organizational capability to competently handle cyber incidents is no longer optional. The focus of this post will be on incidents that result in a data breach (which roughly 60% of incidents do). The global average cost of a data breach is $3.62 million, with the average cost for a single sensitive record coming in at $141, according to the 2017 Ponemon Data Breach Study.
For some, building a capability to effectively response to incidents is regulation-driven; roughly 64% of respondents reported that Payment Card Industry (PCI) regulations drive their response improvements, followed by SOX at 43% and HIPAA at 34%. While some argue that regulation-driven compliance simply means checking the boxes, that isn't necessarily a bad thing, often guaranteeing financial resources and executive commitment to complete. Companies that do not fall under such regimes are more likely to fall behind and have heavier lifting to do until other motivations (e.g., a desire to obtain cyber insurance) require some of the same good practices.
Being prepared for an incident requires up front and ongoing effort. Firms can elect to handle incident response planning and incidents internally, or, augment internal capabilities using outsourced service providers. Encouragingly, the 2017 SANS Incident Response Survey found that 84% of surveyed organizations have at least one team member dedicated to incident response. There are an increasing number of product vendors and professional services organizations offering sophisticated support in this area.
So, statistics aside, what does success look like in incident response?
1. A realistic, clearly communicated and regularly tested incident response plan.
If your plan meets these criteria, you are 80% there. Keep the plan as simple as possible. When testing and refining the plan, include business, legal, risk management, communications/public relations, vendor, and other key stakeholders, not just IT. Stay abreast of ever-changing data breach notification requirements, which often vary by state, and by country.
2. Have a breach? Take care not to destroy forensic evidence.
Seemingly innocuous actions such as powering down or rebooting a machine, opening a file or folder, or failing to take and secure an image of the asset before analyzing it could have preclude its use as evidence in court later. Consider engaging a trained forensic expert, with guidance from legal and human resources departments, versus attempting to do this internally. At the very least, ensure that those handling the evidence understand chain of custody principles, and the essential principles that data breach 'first responders' need to abide by.
Understand your policy intimately. Read the policy line-by-line at inception and at renewal. Ensure the right staff are involved with completing and reviewing the annual questionnaires. Finally, be sure to integrate required insurance procedures directly into your incident response plan. A staff member or service provider, could innocently invalidate coverage; from accidentally missing notification requirements to not using a prescribed vendor (e.g., for forensics or incident response), to failing to abide by previously promised patching policies. Do not be lulled into a false sense of security that by having cyber insurance, that your organization will automatically be covered.
Although I subscribe to the belief that it is not if an organization will be breached, but when, I also believe that the risk and impact or a data breach can be significantly mitigated through conscious preparation and continuous readiness. Incident response planning does not need to be complex or costly, it just needs to be done.