[BreachExchange] Incident Response: Having a Plan Isn't Enough

Destry Winant destry at riskbasedsecurity.com
Fri Mar 8 10:11:58 EST 2019


https://www.darkreading.com/threat-intelligence/incident-response-having-a-plan-isnt-enough-/d/d-id/1334056

Data shows organizations neglect to review and update breach response
plans as employees and processes change, putting data at risk.

Businesses are slowly improving their data breach plans, but lack of
executive involvement, failure to review and update plans, and
regulatory and compliance challenges prevent them from being able to
respond to security incidents with increasingly severe consequences.

A new study – entitled "Is Your Company Ready for a Big Data Breach?"
– conducted by the Ponemon Institute and commissioned by Experian,
polled 643 professionals in IT and IT security on their organizations'
data breach response practices.

They learned 52% of respondents rate their response plans as "very
effective," slightly up from 49% one year prior and 42% in 2016.
Still, only 36% feel sufficiently prepared to respond to incidents
involving business confidential information and intellectual property.

It's slow-going progress at a time when more businesses are disclosing
breaches and realizing their far-reaching effects. Nearly 60% of
respondents reported a data breach in 2018. Of those, 73% reported
multiple. Incidents are causing greater financial damage: A 2018
Ponemon study showed the average consolidated cost of a breach is
$3.86 million. Fear of reputational damage is also top-of-mind among
27% of respondents who believe a breach would tarnish their brands.

Most (92%) companies have a data breach notification plan in place.
The problem is, most companies with a breach response plan fail to
adapt to change. Forty-two percent of respondents have "no set time
period" for reviewing and updating their response plans, and 23%
haven't reviewed or updated their plans since it was put in place –
"which may be years at a time," says Michael Bruemmer, vice president
of data breach resolution at Experian.

"Where we see simple mistakes being made it, the plan is set on the
shelf and done once, then employees and processes change and they
don't update the plan," he explains. "In data breach response, timing
and accuracy of information is really important."

It's one thing to have a good response, but there's a great penalty if
your company suffers multiple security incidents and doesn't alter its
plan to reflect what was learned from them. It should regularly follow
up, update the plan, and practice the process of incident response,
researchers note in the report.

Unpacking Response Plans
Which incidents do companies plan for? Most (87%) plans include
guidance on how to handle a distributed denial-of-service (DDoS)
attack that could cause system outage, 80% address loss or theft of
personally identifiable information (PII), and 79% address loss or
theft of data on customer associations that could lead to brand
damage. About three-quarters include guidance on loss or theft of
payment data; 73% address loss or theft of intellectual property or
confidential business data.

"Many companies are among those that recognize the sensitive PII in
their possession and know they are an attractive target," Bruemmer
says. They know they need to have a plan regardless of whether they've
already been hit. Still, "a vast number of businesses only learn that
their company needs to have a plan in place once the security incident
occurs," he adds.

Bruemmer advises organizations to form a data privacy program or
job-specific security or privacy training program for employees who
have access to PII and other sensitive information. Twenty-seven
percent of businesses don't have this type of program, he adds, and
people who have admin access and handle PII should be trained on how
to avoid cyberattacks.

"The blanket approach that everyone takes the same training ... that
used to be the norm five years ago. That can't be the norm now," he
explains.

Breach Response's Biggest Burdens
Cloud complicates breach response, researchers report. Sixty-three
percent say lack of visibility into end users' data access is their
biggest barrier in improving breach response. Sixty percent say the
proliferation of cloud services is another major challenge, and 43%
are concerned about the lack of security process for third parties
that handle their corporate data.

Lack of expertise may have fallen in fourth place, listed among only
37% as a barrier to breach response, but more people have cited this
as an obstacle over the years. Less than one-third worried about lack
of expertise in the 2017 survey, which was up from 29% the year prior.

Some types of security incidents pose a greater challenge than others.
Only 21% of respondents expressed confidence in their ability to
handle ransomware attacks, and 24% said the same for spear-phishing,
researchers found. Less than half (47%) educate employees on
spear-phishing.

Organizations also face compliance and regulatory challenges, Bruemmer
points out. The EU's General Data Protection Regulation (GDPR) went
into effect in May 2018; since then, 59% of respondents report their
organizations' plans now include processes to handle an international
data breach, up from 51% in 2016. However, GDPR rules are tough to
comply with, and only 36% of companies say they have a high ability to
comply with the data breach notification rules.

It's Time for Execs to Chip In
Senior leadership's involvement in breach response is "mostly
reactive." C-suite and board members mostly want to know whether a
material breach took place and generally don't know about the specific
security threats to their organizations. Only 22% of respondents say
the C-suite regularly participates in response plan reviews; 10% say
the same for board members.

About half (49%) of respondents say executives don't know about
response plans, and 81% think their response plans would be more
effective with executive involvement. They also cite a need for more
drills to practice incident response and for more skilled infosec
employees.


More information about the BreachExchange mailing list