Organisations are increasingly aware that they are likely to suffer a cyber attack at any time, and that responding to the incident may cost them a considerable sum of money.
The average cost of a data breach in Australia in 2014 was about $2.8 million, a 40 percent increase since 20101. Recent data out of the United States indicates that this cost can escalate significantly and in some cases has exceeded $100 million2.
Whether an attack is external or internal, most organisations will focus on getting their business back up and running. However, a robust response would also include an effective strategy to understand the nature of the incident and preserve evidence as to how the breach occurred, who was responsible and how they were able to bypass your company’s controls. Understanding the incident provides a platform for enhanced security now and into the future.
"The natural instinct is to kick the problem to the technology department, framing it as a disaster recovery issue. What is in fact required is the formulation of an enterprise-wide strategic plan."
Partner in Charge, Forensic
Organisations should have a combined approach of containing the breach, removing the threat, resuming the service and investigating the attack to learn from it and prevent it from happening again. The problem is these responses tend to remain quite separate, and we find that most organisations lack experience in evidence preservation, especially if the breach involves cloud service providers.
Consequently, any recovery process undertaken by the victim organisation, threatens to trample on important evidence that could be used to discover the details of the breach. Moreover, an organisation focusing purely on getting the business up and running after a breach might be breaking the law in its vigour to resume the service. For example, an organisation may choose to pay a ransom in a Ransomware incident, which might be considered a bribe. If the cyber-attack involved the exposure of Personally Identifiable Information (PII) or other privacy related data, evidence preservation becomes a critical component of your response.
We believe organisations need to ensure each of the responses (containment, eradication, restoration and investigation) are a priority and form part of a considered response strategy. Achieving that takes careful preparation – and a comprehensive Incident Response (IR) plan.
According to the SANS Institute’s 2014 Incident Response survey, only 9 percent of IR professionals surveyed indicated that their incident response capabilities were very effective, and 26 percent were dissatisfied, citing lack of time to review and practice procedures (62 percent) and lack of budget (60 percent) as key impediments to effective response3.
A lack of formal IR plans and teams were the major complaints, as was a lack of time to practice IR procedures.Of course, the natural instinct for many organisations is to kick the problem to the technology department, framing it as a disaster recovery issue. What is in fact required is the formulation of an enterprise-wide strategic plan, one that tackles technology, people and processes. It is essential this comes from the board and management, not the technology department, if organisations are to make the necessary cultural shift.
In formulating an effective IR plan, we would suggest at a minimum you consider:
It is only with a transparent, comprehensive plan in place that your organisation can respond promptly and effectively to the rapidly evolving threat landscape, thereby freeing your business to grow, transform and expand.
1 Ponemon Institute, 2014 Cost of Data Breach Study: Australia May, 2014 at www.ponemon.org