Why every organization needs an Incident Response Plan
In psychology, the phenomenon is known as illusory correlation. It’s a term that’s used to describe our ability as humans to perceive a relationship between things when no such relationship exists.
I’m often reminded of this phenomenon whenever I speak to one of my fellow executives about their preparedness for a potential cyber-attack. I’ll ask them if they have a cyber-attack incident response plan and usually what I get back goes something like, “Ah, I’m not too concerned about it. I don’t see how anyone would be interested in hacking us.”
And while they may be correct that their target profile is fairly low, they are suffering under an illusionary correlation. They are falsely connecting the probability of being attacked with the importance of adequately preparing for the occurrence. The real question they should ask themselves is what the potential damage would be to the organization if they were attacked.
The School House Principle
Let’s take the example of fire drills in schools. The chances of a full out fire raging through a modern school building have decreased significantly from the days when children were gathering in wooden structures that were heated by wood-burning furnaces. A 2014 study by Safe Havens International in the U.S. found, “School-related fatalities by fire are rare, and no documented instances have been found from 1998-2012.” And yet, we still make sure our children, teachers, and support staff know exactly what they need to do in the unlikely event of a fire. Because no matter how unlikely the incident may be, nothing is more important than ensuring the safety of our children.
This same line of thinking needs to be applied to the security of your organization which is significantly more vulnerable than many executives are willing to believe.
According to the 12th annual “Cost of Data Breach Study by the Ponemon Institute, the average total cost of a data breach in 2017 was $3.62 million . A cursory glance at the recent history of cyber-attacks shows that the damage can be far more severe.
A 2017 ransomware attack cost the Erie County Medical Center more than $10 million. In June of that same year, a NotPetya attack cost shipping company Maersk more than $300 million and forced a pharmaceutical company, Merck, to shut down its manufacturing facility. While this was all happening, the Wannacry virus infected more than 45,000 computers in 74 countries including the UK where hospitals were brought to an effective shutdown as a result.
The First Step Any Organization Should Take
If your organization does not already have an Incident Response Plan (IRP) in place, design and implement one immediately. An IRP is simply a detailed plan that spells out what everyone needs to do in the event of a cyber-security breach. But don’t feel that you need to re-invent the wheel in doing in implementing one. For example, Cisco offers an Incident Response Plan, an excellent solution to help organizations build a planned and coordinated response to an incident. Cisco’s program lays out a blueprint how to identify the attacker, scope and contain the situation, identify the root cause, design strategies to remedy the underlying issues. It emphasizes the overarching need to communicate to different communities impacted including customers, partners and suppliers and internally.
This is all critically important because by the time you identify the breach to the time to remediation, it could cost an organization a great deal of time, money, and reputation. The importance of a swift and effective response cannot be overstated in the hours and minutes following a cyber-attack.
The second stage is then conducting an assessment to determine what damage was done, where it was done, and to what extent. The only way both of these steps can be done effectively is if everyone in the organization knows exactly what they need to do should a security breach occur.
Having an IRP in place is only the first step
A recent study from the UK indicated that a full two-thirds of executives said they have some kind of IRP in place but have never tested it. This is one of the biggest vulnerabilities I see in organizations across North America as well. They are under a false sense of security that because someone drew up a plan some years back, they will be covered in the event of an attack.
In reality, the only way to be sure your people will know what to do when the time comes is to run regular “fire drills” to identify internal vulnerabilities. This can be done in the form of what is called ‘tabletop testing’ because obviously, you don’t want to put an actual virus in your environment. These tabletop tests can detect technical vulnerabilities and allow you to run simulations within your organizations.
The absolute last thing you want to do find yourself testing your incident response plan in the middle of an incident.
Not so long ago, Compugen was hit with a zero day virus. It was only our high level of preparedness that allowed us to avoid incurring customer or internal data loss, but it reinforced the need to continually monitor and strengthen our own environment to the highest possible level.
Changing Compliance Landscape
Another key responsibility in the immediate aftermath of a security breach is reporting the incident to the various stakeholders. Announcing a security breach might be the last thing an organization wants to do, it may not be optional in the very near future.
As of November 1, 2018, Canadian organizations will be under the regulations of the Personal Information Protection and Electronic Documents Act (PIPEDA). Under the act, any domestic and foreign organizations subject to PIPEDA will be required to:
(a) notify individuals about privacy breaches;
(b) report privacy breaches to the Office of the Privacy Commissioner of Canada and others in certain circumstances
(c) keep certain records of privacy breaches
Many times, the damage of an attack is compounded by an organization’s failure to fully disclose the nature and extent of an attack. A well-designed IRP will not only outline action to contain the breach but also lay out the process to assess and manage the reporting compliance requirements.
The Big Question
If you are still on the fence on whether or not your organization should put a well-designed IRP in place, ask yourself this – would you rather have it and not need it or need it and not have it?
Think carefully, the very future of your organization may depend on it.