Incident Response (IR) is the decision away from having your business go down under or resurface after a few hours.
Most organisations have IR shelved somewhere collecting dust. The IR is good to the extent to be shown to auditors for compliance tick box, however not to the extend to save the business when it comes the time to do so.
We have heard a lot of stories on the internet and front-pages of data breaches, the most prevalent theme is the difference between detection time and discovery time, that is the time when the incident actually happen(when the hacker breached your systems and resides in) and the time when the organisation when actually discovery the breach happen. Organisation takes long to detect the breaches and when they do, they can’t get their IR plan running as expected. This boils down due to the fact that the IR plan have not been tested on frequent basis (not annually :), this need to be more frequent than that).
IR coordination activities is not only to be managed by the cybersecurity department, the activities need to be organisation wide, this should include senior management (CxO officers), public relation, business units, IT and cybersecurity departments.
My 2cents, organisation need to to the below when comes to IR
– Draft IR plan which should include all the critical business unit
– The IR plan should have communication plan and assign the ultimate decision maker e.g. CEO, CIO or C-Level executive
– Test different scenarios e.g. state-sponsored attacks, physical attacks, insider attacks etc.
– Test more than twice a year (not table top exercise, actual war games)
– Improve your plan once tested, from the lesson learned.