Balanced Risk Management Must Include Security Incident Response

In previous blogs, I wrote about the growing market for cyber security insurance, and how more and more organizations are insuring themselves against what seems inevitable – cyber attacks and data breaches. Driving this trend is the increased frequency and severity of cyber attacks – and the knowledge that they are perpetrated by technically sophisticated criminals, intent on financial gain. From a risk standpoint, organizations have a lot at stake: theft of financial information, sensitive personal information, intellectual property, and in some cases, partial or total business disruption.

Given this scenario, it makes perfect sense for organizations to be investing not only in cyber security insurance, but equally in security incident response capabilities. They should have well-understood, practiced plans for responding to cyber attacks, in order to minimize the impact of an attack and to ensure continued operations.

In my experience, not every organization has reached this point. Many companies have a plan on paper, and have designated an incident response team, but all too often the organization’s actual state of readiness is not what it should be. Data breaches can be stressful and chaotic, so training and preparedness is key.

It may sound strange to point out, but security should be a central focus of any security incident response plan. Organizations must avoid the trap of focusing mainly on legal and reputational damage control. The incident recovery plan must go beyond the obligation to notify customers and other impacted parties, remediate injuries caused by the breach, and handle public relations. Equally, if not more important, is how prepared the organization is to detect and recover from the attack.

I’ve seen many examples of the impact that a well-trained incident response team can have. The faster a team can detect a serious incident, the greater the chance of minimizing losses. The faster a team can assess the cause and extent of damages, the faster it can eliminate or mitigate the cause of a breach. These factors translate into enormous value to the organization by reducing the size and scope of the breach and by ensuring that business operations safely resume as soon as possible.

Headlines about cyber attacks and data breaches confront us on a daily basis. Why then do so many organizations fall short, failing to adequately staff incident response teams, failing to practice incident response processes that have been documented in a 3-ring binder, and failing to simulate likely attacks? It’s possible that some organizations don’t feel they are vulnerable (admittedly this is very naïve in this day and age). It’s also possible that while the board room is investing millions in cyber security insurance, they don’t see the need to expand funding for incident response. And realistically, it’s almost impossible for over-taxed and under-funded security teams to do contingency planning.

Think about it. It’s really worth the investment to hear these words in the hours or days after a serious incident has occurred: “The threat has been removed. Full recovery is made. Normal operations have commenced.”