Why Are Businesses Ignoring Incident Response?

A tried and tested Incident Response (IR) process is critical in enabling a business to react to a cyber breach quickly and effectively, to reduce the Mean Time to Respond (MTTR) and the impact radius. It also enables the security team to quickly identify and assess indicators of compromise (IoC) and to select the appropriate playbook to handle the incident.

And yet, astonishingly, 36% of businesses in the UK do not have any formal IR Plan (IRP) in place, according to the UK government’s Cybersecurity Longitudinal Survey carried out in mid-2022.  

Those findings are mirrored by the Cyber Security Breaches Survey 2022 which found only 19% of businesses have a formal IRP, while 39% had chosen instead to assign someone else to handle things should an incident occur. Not having an IRP in place, however, can be a significant factor in how much impact an attack has.

The longer an attack goes on, the more damage it can do and the more costly it becomes to resolve, so driving down MTTR should be a key priority for any business. 

The recent annual Cost of a Data Breach report from IBM Security found it takes 70 days on average to contain a breach and that the cost of resolution was 58% higher than for those without an IRP. It also found evidence that an IRP can generate higher cost savings over time. This is because a proper post-incident review enables the business to quantify the real cost of the attack or to use the experience to improve practices going forward. 

Similarly, if IRPs are put through their paces and tested on a regularly basis, this can also improve response times. However, the Longitudinal survey found only 43% test their plans annually, which means that the plan may not be as effective as it could be and is likely to be out of step with emerging threats. Businesses with 250 employees or more were also more likely to have tested their IRP versus medium sized businesses, although those numbers were still only 52% and 42% respectively.

Acting After The Event

So why are many so reluctant to implement an IRP? Firstly, it turns out many only decide to do so after they’ve been burnt. The Longitudinal Survey found 60% of businesses were likely to have written processes in place if they had been compromised, compared to 44% of those that had not, and the margin widened still further when phishing attacks were excluded. Therefore, many seem to be implementing an IRP reactively rather than taking a proactive approach.

The survey also found those who worked in highly regulated sectors such as IT, telecoms or finance, were more likely to keep formal IRPs, with 85% of these including guidance for reporting incidents externally to regulators or insurers. Those who were ISO 27001 compliant also had IRPs, in line with the standard’s requirements, revealing that compliance remains a strong driver.

Thirdly, the qualitative research revealed that many struggled to see the value in having a formal IRP as ‘things worked very informally in their organisation’ or ‘a common-sense approach was all that was required’. But in reality, having a process in place can conserve time, effort and resource.

In smaller businesses, the argument runs that there isn’t enough time to dedicate to developing, implementing and testing an IRP but this is counterproductive. Understanding how data is processed, who has the authority to deal with an incident, what resources are at your disposal and having a framework in place will all help the business recover far more rapidly, preventing downtime and lost revenue.   

What Should Be In An IRP?

An IRP must be a workable document that is tailored to the business to make it meaningful and ensure it is followed. However, the Longitudinal Survey reveals that the level of detail in the IRP varied greatly, from simply naming a person to report to, to repurposing other risk or IT frameworks. But the IRP is too important to sideline in this way and there are important components which should be included, which the UK National Cyber Security Centre (NCSC) nicely surmises. 

The process begins with the preparation phase which is what the IRP is built around. This establishes the correct tooling, resources, training and teams who need to be involved in the process when an incident occurs. Throughout this process, procedures need to be put in place to communicate, oversee, track and document the incident, and its these that need to be in the IRP. You’ll need to include the contact details and names of designated personnel, details of the first steps they should take, who to contact with respect to cyber insurance, the breach information to be documented, how the investigation should be conducted, comms plans to notify affected parties, legal teams and PR, and to notify the regulatory authorities.

This is followed by triaging the incident to assess impact, categorise the incident against known cyber threats, and assign an incident manager. If the incident is serious enough this will trigger an escalation leading to a response, so the business needs an understanding of the risks it is exposed to, the likely repercussions and how it should respond. This may be in the form of a playbook, which acts like a specialised IRP, with specific procedures to mitigate the threat. It is at this point that the business will need to determine who needs to be involved/notified, 

For the security team, the process moves through the incident response lifecycle according to where the current stage is believed to be. This may involve capturing and analysing the threat (Analysis & Identification Phase), containing and mitigating a threat to lower the impact and prevent spread (Containment Phase), and remediating and potentially eradicating the threat (Eradication Phase). It’s only when this process of investigation and mitigation is complete that the team can move on to recovery and resuming ‘business as usual’ (Recovery Phase). 

The final but perhaps most important stage of the process is post-incident review, which seeks to assess and document the causes.

This enables all elements of the business from the security team to any third parties involved team to look at what went well and what could be improved, thereby strengthening defences.

Testing The IRP

As we’ve already touched upon, the IRP is a living document that will need to be continually modified. It should be subjected to periodic reviews and road tested to ensure its robustness so that when a breach does happen, the team can be confident it will work. 

The best way of doing this is to carry out simulated attacks that emulate the real thing to expose areas of weakness in the execution of the IRP. Simulated exercises can vary from entry level desktop exercises through to full-blown simulations. Roleplay might be used to simulate a call from the attacker demanding a ransom or a member of the press enquiring about a breach, for instance. 

The best exercises that yield the most insight are those where the incident snowballs and envelops other departments such as IT, security, and PR, enabling these teams to test how well they work together. And going a step further, red teaming can be used to uncover attack pathways and techniques the business may not have anticipated or factored into its IRP, enabling it to devise playbooks in response to these.

The benefits of testing the rigour of the IRP shouldn’t be underestimated not only in terms of improving processes but also with regard to providing real protection.

The IBM report referred to earlier found organisations with IR teams that regularly tested their plans realised up to $2.66m in savings when breached compared to those that did not. Proof, if any were needed, that it really does pay to have a tried and tested IRP.

Phil Robinson is Principal Consultant at Prism Infosec:                        image: iStock / stuartmiles99

You Might Also Read:

Preventing Ransomware Attacks Begins With You:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Progress Software Has Critical Hacking Vulnerabilities
Don't Use ChatGPT At Work »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

e-Governance Academy (eGA)

e-Governance Academy (eGA)

eGA is a think tank and consultancy founded for the transfer of knowledge and best practice in e-governance, e-democracy and national cyber security.

Canadian Security Intelligence Service (CSIS)

Canadian Security Intelligence Service (CSIS)

CSIS collects and analyzes threat-related information concerning the security of Canada in areas including terrorism, espionage, WMD, cybersecurity and critical infrastructure protection.

KOS-CERT

KOS-CERT

KOS-CERT is the national Computer Incident Response Team for Kosovo.

Codeproof Technologies

Codeproof Technologies

The Codeproof enterprise mobility solution empowers your business to secure, deploy and manage mobile applications and data on smartphones, tablets, IoT devices and more.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

VariQ

VariQ

VariQ is a premier provider of Cybersecurity, Software Development and Cloud services to federal, state, and local government.

Sprint Networks

Sprint Networks

Sprint Networks is a trusted compliance and risk program advisor which deliver cost-effective technology to reduce enterprise-wide risk.

Entara

Entara

Entara (formerly YJT Solutions) is an eXtended Service Provider (XSP) focused on providing cutting edge technology and cyber security solutions to companies in regulated industries.

Mission Critical Partners (MCP)

Mission Critical Partners (MCP)

Mission Critical Partners is committed to delivering innovative solutions that help our clients enhance and evolve their critical-communications systems and operations.

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

Sentryc

Sentryc

Sentryc provides automated monitoring of brands on online marketplaces and social media making online brand protection processes faster, more clearly structured and more efficient.

Buzz Cybersecurity

Buzz Cybersecurity

Buzz Cybersecurity systems and services are designed to proactively guard against common and uncommon cyber threats.

Paramount Defenses

Paramount Defenses

Paramount Defenses have unrivaled capability in two of the most critical areas in cyber security today – Active Directory Security and Privileged Access.

Aurascape AI

Aurascape AI

Aurascape is working on advanced cybersecurity solutions powered by grounds-up generative AI architecture.

RedArx Cyber Group

RedArx Cyber Group

At RedArx Cyber Group, our vision is to empower businesses with cutting-edge, proactive security solutions that safeguard their digital landscapes.

Validia

Validia

Validia is a deepfake cybersecurity service that provides proactive and reactive defense to the deepfake threat enterprises increasingly face with the rapid growth of generative AI.