Why Are Businesses Ignoring Incident Response?

A tried and tested Incident Response (IR) process is critical in enabling a business to react to a cyber breach quickly and effectively, to reduce the Mean Time to Respond (MTTR) and the impact radius. It also enables the security team to quickly identify and assess indicators of compromise (IoC) and to select the appropriate playbook to handle the incident.

And yet, astonishingly, 36% of businesses in the UK do not have any formal IR Plan (IRP) in place, according to the UK government’s Cybersecurity Longitudinal Survey carried out in mid-2022.  

Those findings are mirrored by the Cyber Security Breaches Survey 2022 which found only 19% of businesses have a formal IRP, while 39% had chosen instead to assign someone else to handle things should an incident occur. Not having an IRP in place, however, can be a significant factor in how much impact an attack has.

The longer an attack goes on, the more damage it can do and the more costly it becomes to resolve, so driving down MTTR should be a key priority for any business. 

The recent annual Cost of a Data Breach report from IBM Security found it takes 70 days on average to contain a breach and that the cost of resolution was 58% higher than for those without an IRP. It also found evidence that an IRP can generate higher cost savings over time. This is because a proper post-incident review enables the business to quantify the real cost of the attack or to use the experience to improve practices going forward. 

Similarly, if IRPs are put through their paces and tested on a regularly basis, this can also improve response times. However, the Longitudinal survey found only 43% test their plans annually, which means that the plan may not be as effective as it could be and is likely to be out of step with emerging threats. Businesses with 250 employees or more were also more likely to have tested their IRP versus medium sized businesses, although those numbers were still only 52% and 42% respectively.

Acting After The Event

So why are many so reluctant to implement an IRP? Firstly, it turns out many only decide to do so after they’ve been burnt. The Longitudinal Survey found 60% of businesses were likely to have written processes in place if they had been compromised, compared to 44% of those that had not, and the margin widened still further when phishing attacks were excluded. Therefore, many seem to be implementing an IRP reactively rather than taking a proactive approach.

The survey also found those who worked in highly regulated sectors such as IT, telecoms or finance, were more likely to keep formal IRPs, with 85% of these including guidance for reporting incidents externally to regulators or insurers. Those who were ISO 27001 compliant also had IRPs, in line with the standard’s requirements, revealing that compliance remains a strong driver.

Thirdly, the qualitative research revealed that many struggled to see the value in having a formal IRP as ‘things worked very informally in their organisation’ or ‘a common-sense approach was all that was required’. But in reality, having a process in place can conserve time, effort and resource.

In smaller businesses, the argument runs that there isn’t enough time to dedicate to developing, implementing and testing an IRP but this is counterproductive. Understanding how data is processed, who has the authority to deal with an incident, what resources are at your disposal and having a framework in place will all help the business recover far more rapidly, preventing downtime and lost revenue.   

What Should Be In An IRP?

An IRP must be a workable document that is tailored to the business to make it meaningful and ensure it is followed. However, the Longitudinal Survey reveals that the level of detail in the IRP varied greatly, from simply naming a person to report to, to repurposing other risk or IT frameworks. But the IRP is too important to sideline in this way and there are important components which should be included, which the UK National Cyber Security Centre (NCSC) nicely surmises. 

The process begins with the preparation phase which is what the IRP is built around. This establishes the correct tooling, resources, training and teams who need to be involved in the process when an incident occurs. Throughout this process, procedures need to be put in place to communicate, oversee, track and document the incident, and its these that need to be in the IRP. You’ll need to include the contact details and names of designated personnel, details of the first steps they should take, who to contact with respect to cyber insurance, the breach information to be documented, how the investigation should be conducted, comms plans to notify affected parties, legal teams and PR, and to notify the regulatory authorities.

This is followed by triaging the incident to assess impact, categorise the incident against known cyber threats, and assign an incident manager. If the incident is serious enough this will trigger an escalation leading to a response, so the business needs an understanding of the risks it is exposed to, the likely repercussions and how it should respond. This may be in the form of a playbook, which acts like a specialised IRP, with specific procedures to mitigate the threat. It is at this point that the business will need to determine who needs to be involved/notified, 

For the security team, the process moves through the incident response lifecycle according to where the current stage is believed to be. This may involve capturing and analysing the threat (Analysis & Identification Phase), containing and mitigating a threat to lower the impact and prevent spread (Containment Phase), and remediating and potentially eradicating the threat (Eradication Phase). It’s only when this process of investigation and mitigation is complete that the team can move on to recovery and resuming ‘business as usual’ (Recovery Phase). 

The final but perhaps most important stage of the process is post-incident review, which seeks to assess and document the causes.

This enables all elements of the business from the security team to any third parties involved team to look at what went well and what could be improved, thereby strengthening defences.

Testing The IRP

As we’ve already touched upon, the IRP is a living document that will need to be continually modified. It should be subjected to periodic reviews and road tested to ensure its robustness so that when a breach does happen, the team can be confident it will work. 

The best way of doing this is to carry out simulated attacks that emulate the real thing to expose areas of weakness in the execution of the IRP. Simulated exercises can vary from entry level desktop exercises through to full-blown simulations. Roleplay might be used to simulate a call from the attacker demanding a ransom or a member of the press enquiring about a breach, for instance. 

The best exercises that yield the most insight are those where the incident snowballs and envelops other departments such as IT, security, and PR, enabling these teams to test how well they work together. And going a step further, red teaming can be used to uncover attack pathways and techniques the business may not have anticipated or factored into its IRP, enabling it to devise playbooks in response to these.

The benefits of testing the rigour of the IRP shouldn’t be underestimated not only in terms of improving processes but also with regard to providing real protection.

The IBM report referred to earlier found organisations with IR teams that regularly tested their plans realised up to $2.66m in savings when breached compared to those that did not. Proof, if any were needed, that it really does pay to have a tried and tested IRP.

Phil Robinson is Principal Consultant at Prism Infosec:                        image: iStock / stuartmiles99

You Might Also Read:

Preventing Ransomware Attacks Begins With You:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Progress Software Has Critical Hacking Vulnerabilities
Don't Use ChatGPT At Work »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Jones Day

Jones Day

Jones Day is an international law firm based in the United States. Practice areas include Cybersecurity, Privacy & Data Protection.

Citicus

Citicus

Citicus provides world-class security, risk and compliance management software, plus supporting services.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

PartnerRe

PartnerRe

PartnerRe Ltd. provides multi-line reinsurance to insurance companies on a worldwide basis. Services include Cyber Risk.

Forter

Forter

Forter provides new generation fraud prevention to meet the challenges faced by modern enterprise e-commerce.

SEWORKS

SEWORKS

SEWORKS provides offensive and defensive app security that ensures mobile and web apps are safe from dangerous hacking threats.

Cyverse

Cyverse

Cyverse is a cyber-security firm which provides corporations with state-of-the-art cyber-security service-based and technological solutions made in Israel.

RCMP National Cybercrime Coordination Unit (NC3)

RCMP National Cybercrime Coordination Unit (NC3)

As set out in the Government of Canada's National Cyber Security Strategy, the RCMP has established the National Cybercrime Coordination Unit (NC3).

WiSecure Technologies

WiSecure Technologies

WiSecure Technologies aims to develop cryptographic products meeting requirements in the new economic era.

Secure Ideas

Secure Ideas

Secure Ideas is focused on penetration testing and application security including web applications, web services and mobile applications.

Canopius Group

Canopius Group

Canopius is a global specialty lines insurance and reinsurance company and one of the top 10 insurers in the Lloyd’s insurance market.

Simplilearn

Simplilearn

Simplilearn is the world's #1 online bootcamp for digital skills training in disciplines such as Cyber Security, Cloud Computing, Project Management, Digital Marketing, and Data Science.

VectorRock

VectorRock

Save Your Business From Cyber Criminals. We specialize in uncovering cyber risks which threaten your organization and fixing them.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.

SecureFlag

SecureFlag

SecureFlag is dedicated to enhancing secure coding across all technical profiles within the Software Development Lifecycle.