Developing an incident response plan – and testing various scenarios against it – is now a must. Let’s all remember the Central Bank of Ireland’s stark warning back in 2016. “Firms should assume they will be subject to a successful cyber-attack or business interruption.”
Having a structured and formalised response plan ensures organisations can deal with any security incidents quickly, efficiently and effectively. (GDPR provides another good reason to get your response planning in order. Enforcement is mere months away, and its terms include mandatory reporting of breaches to the appropriate data protection authority.)
Here at BH Consulting, we offer incident response planning as a service for our customers. We have developed these 10 steps which can guide your efforts:
Here are some other useful resources to help you devise an effective response plan. The UK Information Commissioner’s Office has a GDPR-focused checklist for handling data breaches. ENISA has developed a tool for completing and submitting a personal data breach notification. This is suitable for all business sectors or public agencies. The US National Institute for Standards and Technology (NIST) has a free computer security incident handling guide. The UK Government has advice about handling media attention and crisis communications. Last year’s Irisscon conference in Dublin had two excellent talks on incident response, from Dr Ciaran McMahon and David Stubley (videos).
We now live in a world where more organisations feel comfortable disclosing when they’ve had an attempted breach. Last year, both the ESB and Musgrave Group publicly said that attackers had tried – unsuccessfully – to break into their systems. Last month, the CEO of AP Møller-Maersk told an audience at Davos that the shipping company recovered its IT infrastructure in 10 days, after last summer’s NotPetya ransomware outbreak. As Lee Neely noted in the recent SANS newsletter, such a rapid timeframe is only possible with a working and tested business continuity plan.
Now that it’s accepted that a security incident could happen to anyone, the focus has turned towards how organisations respond. Unlike the examples above, think of the criticism heaped on Equifax and Uber after their respective breaches. That’s the kind of negative publicity nobody wants.
Beyond public shaming, there’s also a financial impact from badly handled breaches. The UK Information Commissioner’s Office recently fined Carphone Warehouse £400,000 over its 2015 data breach.
If you’re interested in developing or updating your incident response planning, you can contact us to find out more.