Why Are Businesses Ignoring Incident Response?

A tried and tested Incident Response (IR) process is critical in enabling a business to react to a cyber breach quickly and effectively, to reduce the Mean Time to Respond (MTTR) and the impact radius. It also enables the security team to quickly identify and assess indicators of compromise (IoC) and to select the appropriate playbook to handle the incident.

And yet, astonishingly, 36% of businesses in the UK do not have any formal IR Plan (IRP) in place, according to the UK government’s Cybersecurity Longitudinal Survey carried out in mid-2022.  

Those findings are mirrored by the Cyber Security Breaches Survey 2022 which found only 19% of businesses have a formal IRP, while 39% had chosen instead to assign someone else to handle things should an incident occur. Not having an IRP in place, however, can be a significant factor in how much impact an attack has.

The longer an attack goes on, the more damage it can do and the more costly it becomes to resolve, so driving down MTTR should be a key priority for any business. 

The recent annual Cost of a Data Breach report from IBM Security found it takes 70 days on average to contain a breach and that the cost of resolution was 58% higher than for those without an IRP. It also found evidence that an IRP can generate higher cost savings over time. This is because a proper post-incident review enables the business to quantify the real cost of the attack or to use the experience to improve practices going forward. 

Similarly, if IRPs are put through their paces and tested on a regularly basis, this can also improve response times. However, the Longitudinal survey found only 43% test their plans annually, which means that the plan may not be as effective as it could be and is likely to be out of step with emerging threats. Businesses with 250 employees or more were also more likely to have tested their IRP versus medium sized businesses, although those numbers were still only 52% and 42% respectively.

Acting After The Event

So why are many so reluctant to implement an IRP? Firstly, it turns out many only decide to do so after they’ve been burnt. The Longitudinal Survey found 60% of businesses were likely to have written processes in place if they had been compromised, compared to 44% of those that had not, and the margin widened still further when phishing attacks were excluded. Therefore, many seem to be implementing an IRP reactively rather than taking a proactive approach.

The survey also found those who worked in highly regulated sectors such as IT, telecoms or finance, were more likely to keep formal IRPs, with 85% of these including guidance for reporting incidents externally to regulators or insurers. Those who were ISO 27001 compliant also had IRPs, in line with the standard’s requirements, revealing that compliance remains a strong driver.

Thirdly, the qualitative research revealed that many struggled to see the value in having a formal IRP as ‘things worked very informally in their organisation’ or ‘a common-sense approach was all that was required’. But in reality, having a process in place can conserve time, effort and resource.

In smaller businesses, the argument runs that there isn’t enough time to dedicate to developing, implementing and testing an IRP but this is counterproductive. Understanding how data is processed, who has the authority to deal with an incident, what resources are at your disposal and having a framework in place will all help the business recover far more rapidly, preventing downtime and lost revenue.   

What Should Be In An IRP?

An IRP must be a workable document that is tailored to the business to make it meaningful and ensure it is followed. However, the Longitudinal Survey reveals that the level of detail in the IRP varied greatly, from simply naming a person to report to, to repurposing other risk or IT frameworks. But the IRP is too important to sideline in this way and there are important components which should be included, which the UK National Cyber Security Centre (NCSC) nicely surmises. 

The process begins with the preparation phase which is what the IRP is built around. This establishes the correct tooling, resources, training and teams who need to be involved in the process when an incident occurs. Throughout this process, procedures need to be put in place to communicate, oversee, track and document the incident, and its these that need to be in the IRP. You’ll need to include the contact details and names of designated personnel, details of the first steps they should take, who to contact with respect to cyber insurance, the breach information to be documented, how the investigation should be conducted, comms plans to notify affected parties, legal teams and PR, and to notify the regulatory authorities.

This is followed by triaging the incident to assess impact, categorise the incident against known cyber threats, and assign an incident manager. If the incident is serious enough this will trigger an escalation leading to a response, so the business needs an understanding of the risks it is exposed to, the likely repercussions and how it should respond. This may be in the form of a playbook, which acts like a specialised IRP, with specific procedures to mitigate the threat. It is at this point that the business will need to determine who needs to be involved/notified, 

For the security team, the process moves through the incident response lifecycle according to where the current stage is believed to be. This may involve capturing and analysing the threat (Analysis & Identification Phase), containing and mitigating a threat to lower the impact and prevent spread (Containment Phase), and remediating and potentially eradicating the threat (Eradication Phase). It’s only when this process of investigation and mitigation is complete that the team can move on to recovery and resuming ‘business as usual’ (Recovery Phase). 

The final but perhaps most important stage of the process is post-incident review, which seeks to assess and document the causes.

This enables all elements of the business from the security team to any third parties involved team to look at what went well and what could be improved, thereby strengthening defences.

Testing The IRP

As we’ve already touched upon, the IRP is a living document that will need to be continually modified. It should be subjected to periodic reviews and road tested to ensure its robustness so that when a breach does happen, the team can be confident it will work. 

The best way of doing this is to carry out simulated attacks that emulate the real thing to expose areas of weakness in the execution of the IRP. Simulated exercises can vary from entry level desktop exercises through to full-blown simulations. Roleplay might be used to simulate a call from the attacker demanding a ransom or a member of the press enquiring about a breach, for instance. 

The best exercises that yield the most insight are those where the incident snowballs and envelops other departments such as IT, security, and PR, enabling these teams to test how well they work together. And going a step further, red teaming can be used to uncover attack pathways and techniques the business may not have anticipated or factored into its IRP, enabling it to devise playbooks in response to these.

The benefits of testing the rigour of the IRP shouldn’t be underestimated not only in terms of improving processes but also with regard to providing real protection.

The IBM report referred to earlier found organisations with IR teams that regularly tested their plans realised up to $2.66m in savings when breached compared to those that did not. Proof, if any were needed, that it really does pay to have a tried and tested IRP.

Phil Robinson is Principal Consultant at Prism Infosec:                        image: iStock / stuartmiles99

You Might Also Read:

Preventing Ransomware Attacks Begins With You:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Progress Software Has Critical Hacking Vulnerabilities
Don't Use ChatGPT At Work »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ITpreneurs

ITpreneurs

ITpreneurs provides IT training content, Instructors, Learning Infrastructure and services to IT Training providers.

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality ISAC operates as a central hub for sharing sector-specific cyber security information and intelligence.

SQNetworks

SQNetworks

SQNetworks provides a full range of cybersecurity consultancy, services and solutions.

KIOS Center of Excellence (KIOS CoE)

KIOS Center of Excellence (KIOS CoE)

KIOS carries out top level research in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control and Security of Critical Infrastructures.

ResponSight

ResponSight

ResponSight is a data science company focusing specifically on the challenge of measuring risk and identifying changes in enterprise/corporate networks using behavioural analytics.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

Securis

Securis

Securis provides organizations and agencies with the highest level of professional, ultra-secure data destruction and IT recycling.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

Cyber Skyline

Cyber Skyline

Cyber Skyline is a revolutionary cloud platform to practice, develop, and measure your team's technical cybersecurity skills.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

Cufflink

Cufflink

Cufflink makes your business more secure, compliant and trusted. We limit the likelihood and impact of a data breach by controlling exactly what can and can't be done with personal data.

Labaton Sucharow

Labaton Sucharow

Standing on the horizon of law and technology, our Cybersecurity and Data Privacy Practice helps to protect consumers who have been harmed by businesses’ failures to safeguard their customers' data.

KCS Group Europe

KCS Group Europe

KCS Group helps its clients to identify and deal with any risks, weaknesses and threats which could impact on the business financially or reputationally.

Inholo

Inholo

Inholo offers tools to manage the risks of synthetic realities, starting with an AI-photo detection service.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.

M7 Services

M7 Services

M7 Services are a comprehensive Managed Services Provider (MSP) with a focus on delivering cutting-edge information technology solutions and unparalleled customer service.