Why Are Businesses Ignoring Incident Response?

A tried and tested Incident Response (IR) process is critical in enabling a business to react to a cyber breach quickly and effectively, to reduce the Mean Time to Respond (MTTR) and the impact radius. It also enables the security team to quickly identify and assess indicators of compromise (IoC) and to select the appropriate playbook to handle the incident.

And yet, astonishingly, 36% of businesses in the UK do not have any formal IR Plan (IRP) in place, according to the UK government’s Cybersecurity Longitudinal Survey carried out in mid-2022.  

Those findings are mirrored by the Cyber Security Breaches Survey 2022 which found only 19% of businesses have a formal IRP, while 39% had chosen instead to assign someone else to handle things should an incident occur. Not having an IRP in place, however, can be a significant factor in how much impact an attack has.

The longer an attack goes on, the more damage it can do and the more costly it becomes to resolve, so driving down MTTR should be a key priority for any business. 

The recent annual Cost of a Data Breach report from IBM Security found it takes 70 days on average to contain a breach and that the cost of resolution was 58% higher than for those without an IRP. It also found evidence that an IRP can generate higher cost savings over time. This is because a proper post-incident review enables the business to quantify the real cost of the attack or to use the experience to improve practices going forward. 

Similarly, if IRPs are put through their paces and tested on a regularly basis, this can also improve response times. However, the Longitudinal survey found only 43% test their plans annually, which means that the plan may not be as effective as it could be and is likely to be out of step with emerging threats. Businesses with 250 employees or more were also more likely to have tested their IRP versus medium sized businesses, although those numbers were still only 52% and 42% respectively.

Acting After The Event

So why are many so reluctant to implement an IRP? Firstly, it turns out many only decide to do so after they’ve been burnt. The Longitudinal Survey found 60% of businesses were likely to have written processes in place if they had been compromised, compared to 44% of those that had not, and the margin widened still further when phishing attacks were excluded. Therefore, many seem to be implementing an IRP reactively rather than taking a proactive approach.

The survey also found those who worked in highly regulated sectors such as IT, telecoms or finance, were more likely to keep formal IRPs, with 85% of these including guidance for reporting incidents externally to regulators or insurers. Those who were ISO 27001 compliant also had IRPs, in line with the standard’s requirements, revealing that compliance remains a strong driver.

Thirdly, the qualitative research revealed that many struggled to see the value in having a formal IRP as ‘things worked very informally in their organisation’ or ‘a common-sense approach was all that was required’. But in reality, having a process in place can conserve time, effort and resource.

In smaller businesses, the argument runs that there isn’t enough time to dedicate to developing, implementing and testing an IRP but this is counterproductive. Understanding how data is processed, who has the authority to deal with an incident, what resources are at your disposal and having a framework in place will all help the business recover far more rapidly, preventing downtime and lost revenue.   

What Should Be In An IRP?

An IRP must be a workable document that is tailored to the business to make it meaningful and ensure it is followed. However, the Longitudinal Survey reveals that the level of detail in the IRP varied greatly, from simply naming a person to report to, to repurposing other risk or IT frameworks. But the IRP is too important to sideline in this way and there are important components which should be included, which the UK National Cyber Security Centre (NCSC) nicely surmises. 

The process begins with the preparation phase which is what the IRP is built around. This establishes the correct tooling, resources, training and teams who need to be involved in the process when an incident occurs. Throughout this process, procedures need to be put in place to communicate, oversee, track and document the incident, and its these that need to be in the IRP. You’ll need to include the contact details and names of designated personnel, details of the first steps they should take, who to contact with respect to cyber insurance, the breach information to be documented, how the investigation should be conducted, comms plans to notify affected parties, legal teams and PR, and to notify the regulatory authorities.

This is followed by triaging the incident to assess impact, categorise the incident against known cyber threats, and assign an incident manager. If the incident is serious enough this will trigger an escalation leading to a response, so the business needs an understanding of the risks it is exposed to, the likely repercussions and how it should respond. This may be in the form of a playbook, which acts like a specialised IRP, with specific procedures to mitigate the threat. It is at this point that the business will need to determine who needs to be involved/notified, 

For the security team, the process moves through the incident response lifecycle according to where the current stage is believed to be. This may involve capturing and analysing the threat (Analysis & Identification Phase), containing and mitigating a threat to lower the impact and prevent spread (Containment Phase), and remediating and potentially eradicating the threat (Eradication Phase). It’s only when this process of investigation and mitigation is complete that the team can move on to recovery and resuming ‘business as usual’ (Recovery Phase). 

The final but perhaps most important stage of the process is post-incident review, which seeks to assess and document the causes.

This enables all elements of the business from the security team to any third parties involved team to look at what went well and what could be improved, thereby strengthening defences.

Testing The IRP

As we’ve already touched upon, the IRP is a living document that will need to be continually modified. It should be subjected to periodic reviews and road tested to ensure its robustness so that when a breach does happen, the team can be confident it will work. 

The best way of doing this is to carry out simulated attacks that emulate the real thing to expose areas of weakness in the execution of the IRP. Simulated exercises can vary from entry level desktop exercises through to full-blown simulations. Roleplay might be used to simulate a call from the attacker demanding a ransom or a member of the press enquiring about a breach, for instance. 

The best exercises that yield the most insight are those where the incident snowballs and envelops other departments such as IT, security, and PR, enabling these teams to test how well they work together. And going a step further, red teaming can be used to uncover attack pathways and techniques the business may not have anticipated or factored into its IRP, enabling it to devise playbooks in response to these.

The benefits of testing the rigour of the IRP shouldn’t be underestimated not only in terms of improving processes but also with regard to providing real protection.

The IBM report referred to earlier found organisations with IR teams that regularly tested their plans realised up to $2.66m in savings when breached compared to those that did not. Proof, if any were needed, that it really does pay to have a tried and tested IRP.

Phil Robinson is Principal Consultant at Prism Infosec:                        image: iStock / stuartmiles99

You Might Also Read:

Preventing Ransomware Attacks Begins With You:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Progress Software Has Critical Hacking Vulnerabilities
Don't Use ChatGPT At Work »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Orolia

Orolia

Orolia are experts in deploying high precision GPS time through network infrastructure to synchronize critical operations.

Pervade Software

Pervade Software

Pervade Software is a global provider of dedicated compliance tracking software with monitoring & reporting capabilities.

PETRAS IoT Hub

PETRAS IoT Hub

PETRAS is a consortium of 12 research institutions and the world’s largest socio-technical research centre focused on the future implementation of the IoT.

CyberOne

CyberOne

CyberOne (formerly Comtact) offer a full stack cybersecurity service to ensure our customers understand the cyber maturity of their organisation.

Dcoya

Dcoya

Dcoya's complete security awareness training program gives you out-of-the-box compliance with PCI-DSS, HIPAA, SOX and ISO regulations.

Lynxspring

Lynxspring

Lynxspring provides edge-to-enterprise solutions and IoT technology for intelligent buildings, energy management, equipment control and specialty machine-to-machine applications.

Cynerio

Cynerio

Cynerio develops cybersecurity protections for medical devices, comparing network behavior with a database of medical workflows.

Office of the Government Chief Information Officer (OGCIO) - Hong Kong

Office of the Government Chief Information Officer (OGCIO) - Hong Kong

OGCIO supports the development of community-wide information technology infrastructure and setting of technical and professional standards to strengthen Hong Kong’s position as a world digital city.

CultureAI

CultureAI

CultureAI deliver intelligent cyber security awareness education and tools that build resilient security cultures where employees help defend.

Rublon

Rublon

Rublon protects endpoints, networks and applications by providing trusted access via two-factor authentication (2FA).

Careerjet

Careerjet

Careerjet is a leading online job search engine with a large presence worldwide, sourcing millions of job ads from thousands of websites from all over the world in areas including Cybersecurity.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

Contechnet Deutschland

Contechnet Deutschland

Contechnet Deutschland started as a specialist in the area of IT disaster recovery and has since broadened its portfolio into information security and data protection.

Cranfield University

Cranfield University

Cranfield Defence and Security are at the forefront of their fields, offering capabilities ranging from cyber security and digital warfare to robotics, forensic sciences and simulation and analytics.

Sec-Ops

Sec-Ops

Sec-Ops is a forward thinking cyber security company, formed by a group of security enthusiasts with years of experience and backgrounds in the technology and the government industries.

MedSec

MedSec

MedSec is the only company of its type focused solely on cybersecurity for hospitals and medical device manufacturers, offering both a cybersecurity software solution and consulting services.