Today, cyberattacks are getting more complex, precise, and targeted than ever before. Add to this the sheer volume of security alerts and false positives; it is like finding a pin in a haystack. Naturally, the IT teams are suffering burnout, leaving organizations with humongous security and corresponding monetary risks.
According to a recent survey on the Cost of a Data Breach in 2020, the global average cost of a data breach stood at $3.86 million for the current year. These numbers were a shade lower than last year (where the average cost was $3.92 million); however, when it came to the Middle East region, the numbers have nearly doubled ($5.97 million per breach). It is the second-highest only behind the U.S., where the average cost per breach amounts to $8.64 million in monetary losses.
Any scale or level of breach does not just affect your business or clients but also the reputation of your organization, which is the utmost important asset. In a digital economy, facing a security incident, cyberattack, or data breach, is highly inevitable. However, remediating that threat and quick recovery from the aftermath is what counts. It limits the scope of damages that affects the reputation. But how do we do it? Is incident response the answer to it? If yes, then what are the steps for effective security incident handling?
To discuss this, CISO MAG got on board Daminda Kumara, Head of Cyber Security and Risk, Wesfarmers Industrial and Safety; Phannarith Ou, Director of ICT Security, Ministry of Post and Telecommunications, Cambodia; and Neil Campbell, VP and Head of Asia Pacific & Japan, Rapid7; in a virtual round table that was moderated by Jyoti Punjabi, Deputy Business Head, CISO MAG, EC-Council.
The discussion was divided into two parts, where the first half was dedicated to developing a comprehensive incident response plan, whereas in the second part, the panel discussed the post-incident response methodology.
Developing an Incident Response Playbook
Although you cannot control how and when the threat actors target your company, you can always control how you respond. Responding quickly and effectively to cyber incidents can help improve your company’s cyber resilience.
“If an organization does not already have an incident response strategy in place then this is a huge problem. This should have been done 10-15 years back.”
– Daminda Kumara, Head of Cyber Security and Risk, Wesfarmers Industrial and Safety
When asked, “When and where should an organization develop an incident response strategy?,” Daminda Kumara said, “If an organization does not already have an incident response strategy in place, then it is a huge problem. They should have designed this 10-15 years ago.” Concurring with Kumara, Neil Campbell said, “Yes, it should have been there for years, but it’s never too late.”
As far as the new or upcoming organizations are concerned, the panel asked them to prioritize cybersecurity and incident response as the top priority. “Every organization needs to have an incident response playbook. This playbook will be your go-to for any incident,” the panelists said in unison.
However, for creating this playbook, Kumara suggested to seeking inputs from all stakeholders, finance teams, supply chains, admin, HR, etc., highlighting that all departments need to be involved because each department has its own take on what is important, vulnerable, and needs to be protected. Thus, involve as many people as possible, and define every stakeholder’s role in case of an incident.
Campbell added, “Have an incident response playbook in a checkpoint format so that it is easier to understand and follow. Also, these checkpoints need to include respective law enforcement and external parties based on the operational domain of your organization.”
Another important team that could steer you away from reputational damage in case of incident response is the public relations (PR) team. This team should always be in the loop in case of incident response. Because, as Campbell said, “Communication and PR can either help you or hurt you.” So, take a cue and put PR on the first page of your incident response playbook.
Additionally, have mock incident response drills just like we have fire drills. Run simulations of attacks. Create red and blue teams if required and handle all scenarios of fake cyberattacks. How does this help? It helps create muscle memory. It always keeps you in shape and readiness. It is not just a defensive but a highly proactive approach to cybersecurity, which many do not even consider. It requires analysts to fend off attackers, review the results of their response, and apply lessons learned to avoid a repeat threat.
What Should be a Post Incidence Response
The answer to this question was given in the first part itself – refer to the Incident Response Playbook that you have defined. As said earlier, cyberattacks and breaches are inevitable aspects of the modern digital world. Thus, when they occur, immediately spring into action and start following your playbook.
The priority after any security incident is stopping the spread. For this, you need to depend on your IT team. But if it is beyond their understanding, seek expert help. Hire a third-party technology and cybersecurity partner that can do this for you if you already don’t have it. However, Campbell suggests to “choose them wisely.” Because you should not go overboard and select the top or the best, this can bore a hole in your pocket. Instead, as Campbell said, “choose one according to your needs and industry.”
“Post incidence Review (PIR) is a good opportunity for learning what went wrong.”
– Neil Campbell, VP and Head of Asia Pacific & Japan, Rapid7
Once you have taken care of the technical aspect of the incident response, move towards the communications part. Before any other stakeholder is informed, it is mandatory to inform the law enforcement authorities. Various countries have various frameworks in place, which adhere to different timeframes for reporting an incident. The GDPR gives only 72 hours for reporting; however, the ACSC in Australia gives 30 days for reportage. So, know the laws applicable to your geography and adhere to it.
In your incident response playbook, you should have already noted the list of all internal and external stakeholders other than the law enforcement authorities that need to be informed about the incident. Write a letter and inform all of them individually on a personal level. Also, as Phannarith Ou said, “Be honest in your communication.” If it is your mistake, then accept it and tell what remedial measures are being taken to resolve the issue. Maintain transparency at all points of time. Give them an entire blueprint of recovery and issue updates about the ongoing process. This makes them not lose trust in your organization and helps them in retaining confidence.
Campbell pointed out, “Honesty and accuracy in your statements are very important in all your incident response communications. Because at some point this communication might be dragged into court and the lawyers will scrutinize every statement that you have made. So do not take that chance.” Kumara suggested an added filter for all communications. He said, “Get your executive from the incident response team to approve and endorse all communications related to the incident response written by the PR team, so that accuracy is maintained.”
“For cybercrime framework, look at international best practices. Baseline them and localize them according to your own needs and geography.”
– Phannarith Ou, Director of ICT Security, Ministry of Post and Telecommunications, Cambodia
At the end of the discussion, a Q&A session was hosted for all curious attendees. One of the most frequently asked questions was if there was a framework that would help create a playbook for comprehensive incident response. Ou delightfully answered this question by saying, “For the cybercrime framework, look at international best practices. Baseline them and localize them according to your own needs and geography.” Campbell also suggested the attendee to refer ISO/IEC DIS 27035-3(en) standard, which is specially developed for incident response and referred to as a baseline by many global companies.
The session saw a fruitful discussion on effective security incident handling and covered almost all aspects of the pre-and post-incident response, and typically stressed the need of having a well-defined playbook that could be your go-to in times of chaos.
CISO MAG would like to take this opportunity to thank all our panelists and attendees for their valuable time and feedback in making this virtual round table discussion a huge success!
The State of Ransomware: From Evolution to Progression