by Damon Hacker, MBA, CCE, CISA, CSXF
President & CEO of Vestige Digital Investigations
Every expert suggests having a corporate Incident Response Plan (IRP). However, according to the 2018 IBM Cyber Resilience study, 77% of businesses worldwide do not have an IRP applied consistently across their organization.
Be Prepared for All Case Scenarios
While many companies may have a partial plan, it is not enough. It is critical to continually assess the plan to ensure it is comprehensive considering all possible case scenarios, it is kept updated, and workable with the current breach and company environment. The plan should be re-visited and practiced at a minimum, annually; ideally twice a year
Most importantly the IRP should be detailed enough that ANYONE in the organization can pick it up and execute on it.
That means all scenarios and critical decisions need to have already been discussed and pre-determined in advance, leaving little or no room for mistakes during an actual incident. Those involved should not only be aware that they have a role to play, be specifically trained on that role, thoroughly understand it, and be tested on it through practice drills. During the training and testing, issues and contingencies that arise should be documented, addressed, and incorporated into the plan.
Also, have a hard copy of your organization’s IRP readily available; cyber attackers have been known to steal or delete digital versions leaving organizations in a terrible quandary.
Because of the time-sensitive nature of a lot of the information that one would rely upon to conduct a proper investigation, preservation of the volatile digital artifacts is critical. Working with an Expert Incident Response Team who specializes in digital forensics and cyber security will ensure that the proper steps are taken to identify, preserve and investigate all of the necessary digital artifacts. “oftentimes in a company’s haste to figure out what’s gone wrong the individuals investigating it trample over the evidence,” says Vestige President, Damon Hacker.
Companies are now responsible to provide the proof
In today’s day and age, it is no longer sufficient to investigate a security incident and simply shrug off the responsibility to notify just because you have no evidence that a compromise has occurred. The statutes have changed to now put the onus on the company to PROVE that a compromise did not occur.
This means that at the end of the day, if certain decisions made during the investigation have a negative impact on your ability to affirmatively attest that data was compromised, you will be forced into a very costly notification process and likely expose your organization to steep fines, damage to reputation, and potential legal liability. “One of the biggest challenges we continue to face working with data breach victims is getting enough information, going far enough back, because either the organization has not set their systems up to collect the right information, or they don’t maintain and manage it long enough,” says Hacker.
It is critical that key personnel are trained and understand their responsibilities to effectively respond when a security breach occurs. By identifying and containing a breach you can save the company a lot of money. How much money? The average cost per breached record is $148. Establishing an incident response team reduces the cost of a data breach by as much as $14 per compromised record according to the Ponemon Institute. On the surface, this doesn’t sound like much, but do the math. How many records are in your system today x (times) the cost per record?
- Have a comprehensive, continually updated, workable Incident Response Plan in place
- The IRP must be detailed enough so ANYONE in your company can pick a readily available hard copy and execute it.
- Staff must be trained, fully understand, and practice their role in mock drills to be prepared.
- The company should have an Expert Incident Response Team already vetted out and on speed-dial to not only stop data loss, but properly investigate it without trampling on critical digital evidence, understand the full scope of the incident, support your legal position to respond to anticipated litigation and downstream issues, validate trusted relationships, and restore public and private confidence in your processes and personnel.
Secure Cyber Defense & Vestige Digital Investigations’ partnership brings companies a solid, proactive approach to securing your IT environment. As a team, we ensure that when the inevitable happens, your company is positioned for success! Come by our booth at the upcoming Ohio Information Security Conference (OISC) at Dayton’s Sinclair Community College March 13th to discuss your cyber security and incident response planning.
White Paper: Crossing the Breach