React promptly to cyber threats: Response planning

React promptly to cyber threats: Response planning

Organisations are increasingly aware that they are likely to suffer a cyber attack at any time, and that responding to the incident may cost them a considerable sum of money.

Partner in Charge, Forensic

KPMG Australia


Related content

Binary numbers in blue

The average cost of a data breach in Australia in 2014 was about $2.8 million, a 40 percent increase since 20101. Recent data out of the United States indicates that this cost can escalate significantly and in some cases has exceeded $100 million2.

When it’s your organisation’s turn, how do you respond?

Whether an attack is external or internal, most organisations will focus on getting their business back up and running. However, a robust response would also include an effective strategy to understand the nature of the incident and preserve evidence as to how the breach occurred, who was responsible and how they were able to bypass your company’s controls. Understanding the incident provides a platform for enhanced security now and into the future.

"The natural instinct is to kick the problem to the technology department, framing it as a disaster recovery issue. What is in fact required is the formulation of an enterprise-wide strategic plan."
Gary Gill
Partner in Charge, Forensic

Organisations should have a combined approach of containing the breach, removing the threat, resuming the service and investigating the attack to learn from it and prevent it from happening again. The problem is these responses tend to remain quite separate, and we find that most organisations lack experience in evidence preservation, especially if the breach involves cloud service providers.

Consequently, any recovery process undertaken by the victim organisation, threatens to trample on important evidence that could be used to discover the details of the breach. Moreover, an organisation focusing purely on getting the business up and running after a breach might be breaking the law in its vigour to resume the service. For example, an organisation may choose to pay a ransom in a Ransomware incident, which might be considered a bribe. If the cyber-attack involved the exposure of Personally Identifiable Information (PII) or other privacy related data, evidence preservation becomes a critical component of your response.

Formulating a plan

We believe organisations need to ensure each of the responses (containment, eradication, restoration and investigation) are a priority and form part of a considered response strategy. Achieving that takes careful preparation – and a comprehensive Incident Response (IR) plan.

According to the SANS Institute’s 2014 Incident Response survey, only 9 percent of IR professionals surveyed indicated that their incident response capabilities were very effective, and 26 percent were dissatisfied, citing lack of time to review and practice procedures (62 percent) and lack of budget (60 percent) as key impediments to effective response3.

A lack of formal IR plans and teams were the major complaints, as was a lack of time to practice IR procedures.Of course, the natural instinct for many organisations is to kick the problem to the technology department, framing it as a disaster recovery issue. What is in fact required is the formulation of an enterprise-wide strategic plan, one that tackles technology, people and processes. It is essential this comes from the board and management, not the technology department, if organisations are to make the necessary cultural shift.

Strategic response planning

In formulating an effective IR plan, we would suggest at a minimum you consider:

  • Containment: analysis of the incident to identify the method of compromise and prevent further spread
  • Eradication: identify the root cause of the opportunity for the method of compromise and develop plans for remediation of security vulnerabilities discovered
  • Restoration: effective planning for business recovery that minimises downtime in the event of an incident
  • Investigation: investigate what information was placed at risk, what evidence is available/preserved and the implications the unauthorised access has
  • Continual proactive testing of all elements ensures the Strategic Response Planning remains relevant and fit for purpose.

It is only with a transparent, comprehensive plan in place that your organisation can respond promptly and effectively to the rapidly evolving threat landscape, thereby freeing your business to grow, transform and expand.

Cyber security

Cyber security

The right approach to cyber security enables an organisation to embrace change, seek out new markets, and invest in transformational opportunities.

Connect with us


Request for proposal



KPMG's new digital platform

KPMG's new digital platform