The increasing trend of data breaches and the devastation they cause to organisations is well documented. In August 2020, there were 99 cyber incidents across the world, the third biggest monthly total of the year. According to the 2020 cost of data breach report by the Ponemon Institute, the average cost of a data breach is US$3.86M. To reduce this cost, CISOs must prepare their organisations to respond and recover from these incidents with minimal impact.
CISOs were most likely to be held ultimately responsible for the data breach – 2020 Cost of Data Breach Report
Being prepared doesn’t mean having an incident response plan – which in many cases is never tested. Being prepared means building, maturing and maintaining an organisation-wide incident response capability. CISOs must rapidly assess and build this capability to respond and recover as soon as they start the role. CISOs need to develop three strategic initiatives that underpin the response and recovery. These include:
Create Partnerships
Response and recovery from a data breach requires collaboration. CISOs must maintain strategic partnerships with reputable organisations to improve incident identification, response and recovery from data breaches. Four key partnerships must be created: Incident response retainers, cyber insurance, government agencies and threat intelligence communities.
According to the data breach report, organisations take an average of 280 days to identify and contain cyber incidents. To reduce the number of days, CISOs must create and maintain a good relationship with relevant government agencies and subscribe to reputable threat intelligence communities – particularly industry-based communities. These organisations will inform CISOs of the changing landscape and any applicable data breaches.
When organisations identify a data breach – or are informed of one – CISOs need technical specialists like forensic and malware analysts to contain and investigate the breach. There are very few organisations that have these specialists, and they are difficult and costly to get in the middle of managing a data breach. Purchasing an incident response retainer will avail these specialists when required.
There are many costs associated with data breach recovery, including consulting and legal services, extortion, restitution to victims and regulatory fines. Just like any other insurance, cyber insurance will cover these unexpected costs. CISOs must acquire this insurance and ensure it provides the right coverage.
Build and Mature Internal Capabilities
Having the right external partnerships and relationships in place is a significant step but not enough. In most cases, internal capabilities are at the frontline of these incidents, and CISOs must assess and mature these capabilities to identify and respond to incidents appropriately. The internal capabilities are People, Processes and Technologies.
Most organisations have significantly invested in several security technologies which generate a lot of alerts. To be effective at responding, CISOs need to prioritise monitoring these alerts. Effective monitoring is achieved by building and maintaining a Cyber Security Operations Center (CSOC).
The CSOC requires a skilled technical team to identify suspicious activity, investigate, contain and escalate incidents based on a defined threshold. In addition, end users should be trained to identify and report suspicious activity. CISOs must ensure the technical team and end users have the appropriate skillsets.
CISOs must establish a multidisciplinary Cyber Incident Response Team (CIRT) to respond to the escalated incidents. The team will evaluate incident severity, business impacts and have the authority to make critical decisions like switching off the affected server.
To manage incidents effectively, CISOs need an incident response plan. Most organisations have this plan. However, some of these plans will not be effective in significant cyber incidents. An effective cyber incident plan must cover all the response steps, the escalation thresholds, responsibilities and decision points. The plan should also align with other relevant organisational processes.
Test, Test and Test
If not tested and revised, a cyber incident response plan is just a plan. Testing the plan must be an integral part of the incident response assurance program. The plan must be tested regularly to identify gaps, validate assumptions, and clarify responsibilities. Specialist consultants should be engaged to test the plan using threat scenarios with critical impact to the organisation.
All relevant stakeholders, including senior management, should be involved in testing the plan. Communication during a data breach is essential and must be tested as well to refine the message.
Incident response teams combined with incident response testing reduced the cost of a data breach – 2020 Cost of Data Breach Report
Conclusion
According to the Data Reach Report, the factors that influence the costs of a data breach include the role of CISO, cyber insurance, incident response teams and threat intelligence sharing. The report also mentions that incident response preparedness saved businesses US$2M in recovery costs. As data breaches have almost become inevitable, it is essential to have the right controls in place to minimise the impact on the organisation.
To get started, CISOs need to identify the critical information assets and processes, perform a risk assessment and augment the existing controls to mature the response and recovery capabilities. The cyber leadership institute has an impressive cyber incident and crisis management playbook that you can use as a guide.
Assess, build and mature. Start now.