Security Roundup: Incident Response Plans, Data Breach Costs, Kudelski, Asigra

Written by Edward Gately
May 25, 2018

Incident response plans are designed to test a company's ability to respond to a security incident.

Edward Gately

With constant data breaches and cybercriminals upping their games, it’s now more important than ever for organizations to have an effective incident-response (IR) plan in place.

This topic was covered during a breakout session at this week’s OpenText Enfuse 2018 conference. D. Kall Loper, director at Protiviti, a consulting firm in technology, business process, analytics, risk, compliance, transactions and internal audit, lead the session.

IR plans are designed to test a company’s ability to respond to a security incident with the goal of handling the situation so that it limits the damage to the business while reducing recovery time and costs.

“Incident-response plans should facilitate the process, not hinder it and not be a source of blame later,” Loper said.

Protiviti’s D. Kall Loper

One of the big problems with many IR plans is they don’t reflect what they’re actually doing in a response, he said. Many just say, ‘When this happens, you must do this,’ he said. Also, an overly prescriptive plan is a “recipe for disaster,” he said.

It’s important to assemble the best people and to have clearly defined roles for everyone.

“Authority is big,” Loper said. “IR is the glue that binds together roles of individuals. Bring your competent people together. If you have incompetent people, you’re going to have to move them out of the way, which takes time.”

The key characteristics of a good IR plan are: brief, clear, resilient and living, he said. For example, you want “clear and brief instructions for what people should do,” he said.

“Everybody right now wants a plan that can be done and then, ‘We don’t have to think about it anymore,” Loper said. “This one requires some buy-in and requires that people understand it, at least enough to work it, and that’s easy. So that’s part of the brief — we want to make it as easy as possible on the people, because if you make it hard, they won’t do it.”

Tabletop exercises, workshops and other activities can be more effective than “going home and doing the reading,” he said.

Resiliency can mean making sure the right people are in place in the core team and can fulfill all roles necessary during a response, Loper said.

“A living document allows your plan to adapt to organizational and practice change with minimal document change,” he said. “The brief features make it much less onerous to make those changes. If easier, there’s a better chance of it getting updated. And if someone leaves, someone can step in and read the checklist.”

So how can this benefit MSSPs?

“This gives them a better handle into the company if they can understand a plan like this,” Loper said. “Or even if the company’s coordinator just tells them, ‘Hey, we’ve got this checklist, we want to know what you do, we want to know what you need from us, here [are] our expectations … MSSPs have been dying to get that from their clients for years.”

Lessons learned from prior incidents provide an opportunity to revise and update the plan, he said.

“There are a lot of successful plans out there, but if you don’t like what your plan is, consider some of these options,” Loper said. “You don’t need to use this team structure if you have one that works. This is an effective IR plan and these are the components of it.”

Data Breach Costs Mounting

A new survey by Kaspersky Lab shows the average cost of a data breach globally is on the rise, with breaches now reaching an average of $1.23 million for enterprises, up 24 percent from $992,000 last year, and $120,000 on average for SMBs, up 36 percent, from $88,000.

The annual survey included more than 6,600 respondents from 29 countries. In North America, the average cost for an enterprise has reached …