NIST defines an incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” New types of incidents are occurring all the time as cyber criminals continue to evolve. The question is, are you continuing to evolve and prepare for these incidents?
Many organizations have standard processes and defined responses for handling incidents. However, when was the last time the process was tested from beginning to end involving all relevant parties (including third parties), specific incident response procedures, business recovery and continuity procedures, data backup processes, analysis of legal requirements, and coverage and responses for critical system components? Minor incidents tend to occur on a daily basis and lull organizations into a false sense of security that the process is working just fine and business as usual is a sufficient test of the plan. While these types of responses are necessary and part of standard operating procedures, if a true data breach occurred, would you be able to identify it and would the entire team know how to respond?
Testing of the incident response plan at least annually is best practice and required for some compliance frameworks (PCI DSS). This should involve a test that assumes the worst case scenario(s) and involve every role defined within the incident response plan. Audit log monitoring/alerting should be vetted during these tests as well. Will security operations be able to identify the activity? How long did it take? Is log monitoring still in alignment with the most recent risk assessment? All of these are pertinent to the effectiveness of the response process. According to IBM, the average time to detect a breach in 2019 was 206 days. Adequate preparation and evolution of the incident response process is required to prevent that statistic from growing.
Contact our specialist today to continue the conversation and learn more about Incident Response Preparedness.