[BreachExchange] The cybersecurity incident response team: the new vital business team
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Jul 20 14:49:47 EDT 2018
https://www.itproportal.com/features/the-cybersecurity-
incident-response-team-the-new-vital-business-team/
We live and do business in a world fraught with cyber risks. Every day,
companies and consumers are targeted with attacks of varying
sophistication, and it has become increasingly apparent that everyone is
considered fair game. Organisations of all sizes and industries are falling
victim, and the cyber risk is quickly becoming one of the most prevalent
threats.
When disruptions do occur from cyberattacks or other data incidents they
not only have a direct financial impact, but an ongoing effect on
reputation. For example, Carphone Warehouse fell victim to a cyberattack in
2015, which resulted in the compromising of data belonging to more than
three million customers and 1,000 employees. While it suffered financial
losses from the remedial costs, which included a £400,000 fine from the
Information Commissioner’s Office (ICO), it also led to consumers
questioning whether their data was truly secure with the retailer and if it
was simply safer to shop elsewhere. That loss in consumer confidence is
incredibly difficult to claw back, particularly at a time when grievances
can be aired on social media and be shared hundreds or thousands of times.
To pile on further scrutiny, in June 2018, its parent company – Dixons
Carphone – revealed that it had been the victim of a cyberattack which had
begun in July 2017. Hackers accessed 5.9 million bank cards and 1.2 million
personal data records, with the attack deemed serious enough to instigate
an investigation from GCHQ. While Dixons Carphone stated that the incident
was unrelated to the one from 2015, the brands are so closely aligned that
Carphone Warehouse was once again associated with a huge breach.
Businesses are judged on their response to incidents
Preventing cyberattacks is more difficult with the evolving sophistication
of attacks outpacing the technology used to defend against them.
Furthermore, businesses are now being judged – by consumers and regulators
– on how they respond. How quickly they notify relevant stakeholders, the
information and advice provided, as well as how efficiently they can plug
the gap all have an effect on the level of financial fallout and backlash
faced. These factors point to the compelling need for firms to have a
proactive Cyber-Security Incident Response Team (CSIRT) in place.
Organised from experts from across the enterprise, it will be well drilled
through extensive and regular testing and planning, enabling it to
immediately action the suitable response to incidents of increasing
sophistication and complexity.
Another benefit of such a team is that the proactive regular testing
enables businesses to identify any existing vulnerabilities so that they
can be plugged before they are maliciously exploited. As companies grow and
evolve, networks and processes shift so testing needs to be an ongoing
effort to ensure cyber resilience remains high.
Getting the CSIRT up and running
There are some important considerations to be made before starting a
programme. These include operational and technical issues – such as
securing the necessary equipment – as well as determining the resources and
funding needed for newly formed teams. Firms must also ensure that existing
teams are not left shorthanded and are still able to carry out their
responsibilities.
As with any team, the effectiveness of the CSIRT is greatly increased when
it has a defined objective. When everyone within the team is clear on their
role, it’s easier for them to pull in the same direction. Teams should be
structured in a way that gives every member responsibility and
accountability, but also defines who has the final say.
During the planning phases it’s also essential to remove any areas of
duplication. Re-doing activities and processes is a waste of resources and
simply delays the time taken to reach the desired outcome. Companies can
identify where overlaps and gaps exist by carrying out analysis on their
current cyber response programmes. This will also bring to light the firm’s
current incident response capabilities, the effectiveness of existing alert
sources, as well as determining any restrictions.
Selecting the most effective team
Ideally, the CSIRT should consist of staff from across the enterprise to
ensure there’s a good spread of expertise and that the requirements of all
relevant stakeholders can be met.
A vital component should be a business manager. They operate on the
frontline of the business and are accountable for managing a company's
activities and employees. Should an incident be so severe that critical
systems need to be shut down to mitigate further damage, having a business
manager on board will help the company to determine the impact of downtime.
Technical knowledge should be provided by a representative of the IT team.
It’s important that clear guidelines are set on how IT staff and the CSIRT
should interact, and the actions to be taken by each during response
operations. If the CSIRT requires access to network and systems logs for
analysis purposes then the level of access and visibility should be
clarified.
The aftermath of any data loss incident may result in legal proceedings,
therefore, it’s vital that a member of the legal team is present to
determine liability. With their expertise, they will also be essential for
securing the firm by reviewing non-disclosure agreements and developing
appropriate wording for contacting other sites and organisations.
Other members should consist of audit and risk management specialists – as
threat metrics and vulnerability assessments will play a key role in
planning the strategy – as well as a representative from human resources
and public relations. The former will help in developing job descriptions
to hire CSIRT staff and drafting policies and procedures for removing
internal employees found engaging in unauthorised or illegal computer
activity. The latter will be responsible for tackling external
communications, handling any media queries and helping to develop press
statements and guidelines for information disclosure.
Ultimately, in an age where businesses falling victim to cyberattacks is a
daily occurrence, it’s essential that firms have proactive incident
response teams that can help to lessen the threat to reputation. Breach
repercussions are ongoing and, if companies can’t move quickly to manage
them, they can spiral out of control. A well prepped CSIRT that is full of
expertise from across the enterprise is a powerful tool that dramatically
increases cyber resilience. When incident response is slick and well
planned, the company in question will be viewed more favourably by
regulators and, more importantly, it will mitigate the severe drop in
consumer confidence that can be fatal to other less prepared firms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180720/b7466ff3/attachment.html>
More information about the BreachExchange
mailing list