As the number of cyber breaches occurring worldwide increases, a number of companies have invested a lot of money in system hardening, user awareness, intrusion detection systems and other technologies to prevent data breaches. BUT is that enough? Even with all the various systems and controls in place, a company can still suffer a significant data breach.

Most of the companies that have invested significant amounts of money and feel safe have over looked one major fact in being ready for a cyber-attack. And that major factor is the Cybersecurity Incident Response and Business continuity plan.

For those that have set up the Cybersecurity Incident Response and Business continuity plan have not bothered to ascertain whether its effective and efficient. Thereby leaving these plans theoretical and ineffective.

Effective incident response forms the criteria used to judge cybersecurity programs. Effective protection and detection measures do not matter if the response to an event falls short. Within days of an announcement, news articles criticizing an entity’s response can negatively influence public opinion. Sizable data breaches elicit scrutiny that can last for years.

The Marriott hotels data breach

Marriott hotels became a prime example of this when it discovered a breach in November 2018, which has gone on to be labelled one of the largest data breaches in history as it affected the records of up to 500 million customers. Criticism for failure to discover the breach which is believed to have started happening in 2014 has probably affected business in one way or another. Marriott’s subsequent missteps beyond communication issues caused the incident response process to appear ineffective. These perceptions survive long after
breach recovery has occurred.

A comprehensive plan that covers every fundamental aspect of incident response, practiced regularly, seems sufficient, until an incident actually occurs. The plan and the skills practiced can be forgotten. Individuals can panic, freeze, and fail to make decisions; others become cowboys, expecting to save the day. The hard truth remains: perceived cybersecurity program success lives and dies with effective detection, containment, eradication, and recovery from security incidents. Initial reports and public scrutiny seem to center on how long it takes entities to disclose incidents.

Why does do incident response plans usually fail?

Why do so many incident responses fall short of the mark? There are several reasons. The following are the common themes in Ineffective Incident Response Plans;

1. Lack of planning. In such a scenario, the incident response plan and action plans are inadequate, missing key processes and actions.
2. Lack of preparation. Building an effective incident response requires a practical approach. This should involve continuously referring to the response plan, trying to find the correct steps in action plans, and not knowing what steps are necessary because specific scenarios were not anticipated lead to failure.
3. Lack of effective leadership. It doesn’t matter how good your plan is, if you have reactive, impulsive and ineffective leaders that act with emotions and not brains, the plan will fail. The plan requires effective leadership on the team and from management. Individuals who panic and lose their cool in the heat of battle do little to forge an effective response.
4. Lack of support from management. Response teams cannot second-guess themselves during an incident. If taking systems offline is the necessary action then senior management criticizing such actions because it will possibly affect the business does not demonstrate strong backing by management.

Incident response programs require prioritization within the overall cybersecurity program and management must view incident response as an important business function. This means doing more than writing an incident response plan and conducting an incident response drills at least twice a year.