Just prior to the Thanksgiving holiday, the U.S. Navy revealed that the personal data of more than 130,000 sailors was breached via a contractor’s computer. This information included the names and social security numbers of current and former sailors. This is notable in that the data was accessed through a supplier’s system. As outlined in Sparton’s white paper Cybersecurity and Design: Managing New Risk and Requirements, research shows that about 40 percent of data-security breaches arise at points where companies, suppliers, and other partners interact.
Imagine your organization being responsible for such an attack at one of your primary customers. This could potentially cripple your relationship with the company resulting in a loss of revenue and reputation. An organization needs to have a solid plan in place to mitigate the damage from this type of incident. However, this is frequently not the case. A recent study conducted by the global consulting firm PwC shows, only 37% of respondents – most of them in the heavily regulated financial services industry – have a fully operational incident response plan. Three in ten have no plan at all, and of these, nearly half don’t think they need one. Should a cyber-crisis arrive, only four in ten companies have personnel that are “fully trained” to act as first responders, of which the overwhelming majority (73%) are IT security staff.
Incident response plans provide detailed instructions for responding to a number of potential scenarios. Without one in place, organizations may either not identify the attack in the first place, or not follow proper protocol to contain the threat and recover from it when a breach is detected.
According to the SANS Institute (www.sans.org), there are six key phases of an incident response plan:
- Preparation: Preparing users and IT staff to handle potential incidents should they arise.
- Identification/Triage: Determining whether an event is indeed a security incident.
- Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage.
- Eradication: Finding the root cause of the incident, removing affected systems from the production environment.
- Recovery: Permitting affected systems back into the production environment, ensuring no threat remains.
- Lessons learned: Completing incident documentation, performing analysis to ultimately learn from the incident and potentially improve future response efforts.
An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, communication strategy and ultimately increasing the confidence of corporate executives, owners, and shareholders. The plan should identify and describe the roles/responsibilities of the Incident Response Team members who are responsible for testing the plan and putting it into action. The plan should also specify the tools, technologies and physical resources that must be in place to recover breached information.
The PwC study emphasizes that the primary takeaway from their survey should be that cybercrime is a problem that goes beyond IT. Given that 32% of organizations have been affected by cybercrime it is essential that every aspect of an organization be prepared in the event of an occurrence. Damage mitigation could play a key role in the future of an organization. Sparton’s whitepaper Cybersecurity and Design: Managing New Risks and Requirements outlines ways that an individual can protect their organization from a cyber-attack. In today’s climate, all of us are on the front lines of cybercrime prevention.