It's time to invest in your incident response – here's how

by Richard Green
Published on 13th Jun 2022

Taking proactive measures is critical to any aspect of a strong cybersecurity strategy. And today, the need for a robust incident response plan has never been greater. As more and more companies embrace remote work, we see an influx of personal devices on the corporate network. As a result, the potential attack surface expands while endpoint visibility is significantly reduced.

Yet, even as the number of reported data breaches jumped 68% last year to the highest total ever, Identity Theft Resource Center's 2021 Data Breach Report shows that deficiencies in incident response persist. VMWare's latest State of Incident Response report reported that nearly half of the organizations are not equipped to meet cybersecurity challenges. Meanwhile, others waste time investigating low-level alerts and slowing down the incident response process.

An ounce of prevention is worth a pound of cure when investing in incident readiness. Let's examine the benefits, risks, and primary investment areas to better understand the state of incident response, identify areas for improvement and make refinements moving forward.

Benefits of strong incident response

A proactive incident response plan can be the difference between a bad day and a sheer disaster. Some of the benefits include:

Maintaining customer trust

A breach can cause severe damage to your well-earned reputation. By leveraging incident response, you can communicate with stakeholders quickly and effectively. In addition, customers gain trust in an organization if they are informed about a data breach in a prompt, organized manner.

Saving money

A well-developed incident response plan saves money even if you never use it. In fact, according to IBM's Cost of a Data Breach Report, incident response preparedness was the highest cost saver for businesses. The average total cost of a data breach for companies with a dedicated team that tested an incident response plan was $3.29 million, compared to $5.29 million for companies with neither. 

Mitigating risk

When a cybercrime occurs, it can lead to operational disruptions, financial losses, and legal issues. An incident response plan helps you quickly understand the nature of an attack and where and how it occurred. That way, the security team can take immediate mitigation and remediation steps so you can reduce downtime and get back to business that much faster.

Remaining in compliance

The growing attention to privacy protection has forced organizations to re-examine how they handle sensitive personal data. Specific sectors such as healthcare and the financial industry face even more stringent compliance rules. Some examples of regulations under which companies need to have an incident response plan include the Healthcare Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and General Data Protection Regulation (GDPR).

Risks associated with poor incident response planning

With cybersecurity, it's not a matter of if but when. Poor incident response planning can cause even small cybersecurity incidents, like malware infection, to snowball into more significant problems that ultimately lead to data breaches, data loss, and interrupted business operations. Beyond the potential legal and financial implications, business continuity, customer loyalty, and brand protection are also massive concerns. 

How to create and test a good incident response plan

First, identify the key stakeholders who are part of your core team. When you are ready to develop the plan, follow this six-step framework:

  1. Prepare with triage exercises
  2. Identify the issue's size and scope
  3. Contain and isolate compromised devices
  4. Eradicate the threat
  5. Recover and restore routine services
  6. Review the incident to improve future responses

Once your incident response plan is ready, it's time to evaluate it. A proper testing approach includes:

  • Checking for vulnerabilities: vulnerability scans examine the security of computers, applications, or network devices by running a scanner and reviewing configurations.
  • Conducting cyber fire drills: these drills simulate a data breach to spot weak links in your response plans.
  • Testing scenarios: these are test-specific data breach scenarios that are likely given your industry.
  • Final debrief: after you complete testing, conduct a debrief to receive feedback on how the test went so you can perform future scenarios more efficiently.

Where to invest

Unless you have an unlimited budget, you will need to prioritize investment areas. Some key categories to consider include:

Conducting regular tabletop exercises

Regularly conducted incident response tabletop exercises are part of any best-in-class incident response program. A successful tabletop defines specific objectives and is highly structured to cover pre-planned scenarios to which participants must react. Be sure to include leadership and decision-makers across the organization.

Investing in digital forensics

Gaining a complete understanding of a cyberattack requires an in-depth analysis using host/log/network visibility and several forms of analytics. Forensic tools can address these requirements. However, these tools must be easy to deploy and will also need to connect quickly to confinement points on demand. In addition, they should be able to provide centralized access to the root cause of the incident while also limiting the memory and system burden.

Preparing for supply chain attacks

According to a recent survey by Anchore, software supply chain attacks targeted three out of five companies, with the highest number in 2021 taking place in December. Experts believe the increase is likely due to the Log4j vulnerability, which means the trend of supply chain attacks will only continue and possibly increase.

You can prepare by partnering with your procurement team to run risk assessments for your suppliers. It's also worth investing in observing the activity of your suppliers and expanding your model to include any threats that could impact your service providers. 

Don't wait to implement a well-planned security program. By investing in a robust incident response plan today, you will save time, money, and resources in the long term.