Why Are Businesses Ignoring Incident Response?

A tried and tested Incident Response (IR) process is critical in enabling a business to react to a cyber breach quickly and effectively, to reduce the Mean Time to Respond (MTTR) and the impact radius. It also enables the security team to quickly identify and assess indicators of compromise (IoC) and to select the appropriate playbook to handle the incident.

And yet, astonishingly, 36% of businesses in the UK do not have any formal IR Plan (IRP) in place, according to the UK government’s Cybersecurity Longitudinal Survey carried out in mid-2022.  

Those findings are mirrored by the Cyber Security Breaches Survey 2022 which found only 19% of businesses have a formal IRP, while 39% had chosen instead to assign someone else to handle things should an incident occur. Not having an IRP in place, however, can be a significant factor in how much impact an attack has.

The longer an attack goes on, the more damage it can do and the more costly it becomes to resolve, so driving down MTTR should be a key priority for any business. 

The recent annual Cost of a Data Breach report from IBM Security found it takes 70 days on average to contain a breach and that the cost of resolution was 58% higher than for those without an IRP. It also found evidence that an IRP can generate higher cost savings over time. This is because a proper post-incident review enables the business to quantify the real cost of the attack or to use the experience to improve practices going forward. 

Similarly, if IRPs are put through their paces and tested on a regularly basis, this can also improve response times. However, the Longitudinal survey found only 43% test their plans annually, which means that the plan may not be as effective as it could be and is likely to be out of step with emerging threats. Businesses with 250 employees or more were also more likely to have tested their IRP versus medium sized businesses, although those numbers were still only 52% and 42% respectively.

Acting After The Event

So why are many so reluctant to implement an IRP? Firstly, it turns out many only decide to do so after they’ve been burnt. The Longitudinal Survey found 60% of businesses were likely to have written processes in place if they had been compromised, compared to 44% of those that had not, and the margin widened still further when phishing attacks were excluded. Therefore, many seem to be implementing an IRP reactively rather than taking a proactive approach.

The survey also found those who worked in highly regulated sectors such as IT, telecoms or finance, were more likely to keep formal IRPs, with 85% of these including guidance for reporting incidents externally to regulators or insurers. Those who were ISO 27001 compliant also had IRPs, in line with the standard’s requirements, revealing that compliance remains a strong driver.

Thirdly, the qualitative research revealed that many struggled to see the value in having a formal IRP as ‘things worked very informally in their organisation’ or ‘a common-sense approach was all that was required’. But in reality, having a process in place can conserve time, effort and resource.

In smaller businesses, the argument runs that there isn’t enough time to dedicate to developing, implementing and testing an IRP but this is counterproductive. Understanding how data is processed, who has the authority to deal with an incident, what resources are at your disposal and having a framework in place will all help the business recover far more rapidly, preventing downtime and lost revenue.   

What Should Be In An IRP?

An IRP must be a workable document that is tailored to the business to make it meaningful and ensure it is followed. However, the Longitudinal Survey reveals that the level of detail in the IRP varied greatly, from simply naming a person to report to, to repurposing other risk or IT frameworks. But the IRP is too important to sideline in this way and there are important components which should be included, which the UK National Cyber Security Centre (NCSC) nicely surmises. 

The process begins with the preparation phase which is what the IRP is built around. This establishes the correct tooling, resources, training and teams who need to be involved in the process when an incident occurs. Throughout this process, procedures need to be put in place to communicate, oversee, track and document the incident, and its these that need to be in the IRP. You’ll need to include the contact details and names of designated personnel, details of the first steps they should take, who to contact with respect to cyber insurance, the breach information to be documented, how the investigation should be conducted, comms plans to notify affected parties, legal teams and PR, and to notify the regulatory authorities.

This is followed by triaging the incident to assess impact, categorise the incident against known cyber threats, and assign an incident manager. If the incident is serious enough this will trigger an escalation leading to a response, so the business needs an understanding of the risks it is exposed to, the likely repercussions and how it should respond. This may be in the form of a playbook, which acts like a specialised IRP, with specific procedures to mitigate the threat. It is at this point that the business will need to determine who needs to be involved/notified, 

For the security team, the process moves through the incident response lifecycle according to where the current stage is believed to be. This may involve capturing and analysing the threat (Analysis & Identification Phase), containing and mitigating a threat to lower the impact and prevent spread (Containment Phase), and remediating and potentially eradicating the threat (Eradication Phase). It’s only when this process of investigation and mitigation is complete that the team can move on to recovery and resuming ‘business as usual’ (Recovery Phase). 

The final but perhaps most important stage of the process is post-incident review, which seeks to assess and document the causes.

This enables all elements of the business from the security team to any third parties involved team to look at what went well and what could be improved, thereby strengthening defences.

Testing The IRP

As we’ve already touched upon, the IRP is a living document that will need to be continually modified. It should be subjected to periodic reviews and road tested to ensure its robustness so that when a breach does happen, the team can be confident it will work. 

The best way of doing this is to carry out simulated attacks that emulate the real thing to expose areas of weakness in the execution of the IRP. Simulated exercises can vary from entry level desktop exercises through to full-blown simulations. Roleplay might be used to simulate a call from the attacker demanding a ransom or a member of the press enquiring about a breach, for instance. 

The best exercises that yield the most insight are those where the incident snowballs and envelops other departments such as IT, security, and PR, enabling these teams to test how well they work together. And going a step further, red teaming can be used to uncover attack pathways and techniques the business may not have anticipated or factored into its IRP, enabling it to devise playbooks in response to these.

The benefits of testing the rigour of the IRP shouldn’t be underestimated not only in terms of improving processes but also with regard to providing real protection.

The IBM report referred to earlier found organisations with IR teams that regularly tested their plans realised up to $2.66m in savings when breached compared to those that did not. Proof, if any were needed, that it really does pay to have a tried and tested IRP.

Phil Robinson is Principal Consultant at Prism Infosec:                        image: iStock / stuartmiles99

You Might Also Read:

Preventing Ransomware Attacks Begins With You:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Progress Software Has Critical Hacking Vulnerabilities
Don't Use ChatGPT At Work »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

SecurityMetrics

SecurityMetrics

SecurityMetrics is leader in data security, PCI, and HIPAA compliance solutions

National Cyber Security Centre (NKSC) - Lithuania

National Cyber Security Centre (NKSC) - Lithuania

NKSC is the main Lithuanian cyber security institution, responsible for unified management of cyber incidents, monitoring and control of the implementation of cyber security requirements.

ClickDatos

ClickDatos

ClickDatos specializes in consulting, auditing, data protection training, accredited by ISO/IEC 27001 certification.

WeSecureApp (WSA)

WeSecureApp (WSA)

WeSecureApp is specialized in providing Cyber Security Solutions to safeguard your applications and networks.

Ataya & Partners

Ataya & Partners

Ataya & Partners is a consulting company that delivers data protection, cybersecurity and IT & Digital governance services.

Vdoo

Vdoo

Vdoo provides an end-to-end product security platform for automating all software security tasks throughout the entire product lifecycle.

QuickLaunch

QuickLaunch

QuickLaunch transforms how cloud-savvy institutions and companies manage human and device authentication, authorization, access control and integration.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

Albania Lab

Albania Lab

Albania Lab is a consulting company focused on the development and delivery of digital solutions and IT services including cybersecurity.

Tentacle

Tentacle

Tentacle has developed a configurable data management tool that helps organizations to improve their information security programs and overall security posture.

The Cyber Guild

The Cyber Guild

The Cyber Guild is a not-for-profit organization working to improve the understanding and practice of cybersecurity, and to help raise awareness and education for all.

Finite State

Finite State

Finite State enables product security teams to protect the devices we rely on every day through market-leading software threat, vulnerability, and risk management.

PRE Security

PRE Security

PRE Security is leading the transition into the next era of AI cybersecurity with a new model: Predict & Prevent.

Trovent Security

Trovent Security

Trovent was founded with a clear goal: to support medium-sized companies in significantly increasing their IT security level.

Everfox

Everfox

Everfox (formerly Forcepoint Federal) has been defending the world's most critical data and networks against the most complex cyber threats imaginable for more than 25 years.

Digital & Intelligence Service (DIS) - Singapore

Digital & Intelligence Service (DIS) - Singapore

DIS is the fourth Service of the SAF, here to defend and dominate in the digital domain, and achieve peace and security for our land.