What is incident response and why is it important?
While the range of cyber attacks is expanding worldwide, producing disruptive and harmful effects for any sort of business with a lack of proper security measures, it appears clear that cyber security is one of the most important functions to enforce across digital transformation. Thus, the best option for companies is the creation of strategies to handle incidents that can seriously compromise the integrity and availability of IT systems, and of course of private data and information which are stored and processed, and to deal with security risks and prevent damages in terms of trust ad reputation.
To provide a definition of incident response (IR), it is possible to consider that as the endeavor to rapidly recognize an attack, mitigate its negative consequences to keep damage under control and address the cause to reduce the odds that similar incidents may occur in future. Arranging a good incident response plan is the key to tackle cyber security threats to computer systems through a strategic approach built on a well-defined structure enabling to check which areas are more fragile and exposed to attacks and foresee the best countermeasures to apply for defense.
Firms that adopt good incident response strategies can successfully and effectively limit the duration of attacks and the damage they could produce, with significant benefits for what concerns security but also finance. In fact, the importance of a proper incident response policy cannot be underestimated, as IBM’s Cost of a Data Breach 2023 report states that organizations with regularly tested incident response plans and strategies can save $4,45 million for the recovery of harms originated by data breaches and other categories of attacks. Moreover, IBM highlights the effectiveness of AI-based cyber security solutions helping companies save $1,76 million and that half of firms are willing to increase their investments in cyber security, especially for the making of incident response plans and the professional education of workers.
Incident response or incident management?
Incident Response and Incident Management are terms which are often used interchangeably, because they both aim to ensure business security and tackle consequences of cyber attacks, such as data breaches. As a matter of fact, incident response is a subset of incident management:
- Incident management refers to the entire incident lifecycle, from detection to resolution, and involves different actors including the executive team, the legal staff and of course IT departments;
- Incident response, instead, is only a specific part of the process and refers to the technical assessments for what concerns cyber security and resilience.
The main types of security incidents
In the development of an incident response plan, to guarantee the effectiveness of the strategy it is important to understand what connects three main factors:
- Vulnerability, which refers to a weakness in the corporate IT environment;
- Threats, represented by an entity – not only external hackers, but even a company employee – who exploits vulnerabilities to get unauthorized access to resources;
- Incidents, thus the attacks that can compromise systems and generate serious harms, like privacy breach, personal data loss and corporate resources leaks.
Knowing the main types of security incidents can help to better understand how companies are exposed to risks and plan efficient response. They are:
- Attempts to gain unauthorized access to systems or databases;
- Insider threats;
- Phishing and spear phishing;
- Denial of Service (DoS) or Distributed Denial of Service (DDoS);
- Man-in-the-Middle;
- Password attacks on web applications.
For the best corporate cyber security, effective incident response requires drafting, verification and testing of the incident response plan, which should clearly cover:
- Roles and responsibilities of each team member;
- Communication protocols;
- Accident assessment criteria;
- Incident response procedures;
- Contact lists of external stakeholders;
- Incident identification, containment, mitigation and recovery phases.
The 6 steps of the incident response plan
To build effective incident response plans, companies can take into account some consolidated frameworks that guide and enhance defensive strategies. The best-known frameworks have been developed by organizations that provide technical standards, such as NIST (National Institute of Standards and Technology), SANS Institute (SysAdmin, Audit, Networking, and Security), ISO (International Organization for Standardization) and ISACA (Information Systems Audit and Control Association).
These frameworks have some differences in their approaches, but their processes are set on quite similar phases that must be performed in sequence as each one builds on the previous one. Let’s take a look at these stages and what they refer to:
- Preparation/Planning: development of the incident response plan and preparation of all necessary resources, implementing tools and processes to detect potential incidents and tackle them with a quick and efficient countermeasure;
- Detection/Identification: recognition of a potential incident to proceed with the collection of information about the cause and extent of the attack;
- Containment: unfolding of steps needed to be taken in order to stop an attack before it causes severe damage and regain control of the IT assets.
- Eradication: cleaning of systems to remove malicious code and activity, patch vulnerabilities and completely restore compromised systems;
- Recovery: restoration of normal operations by fixing vulnerabilities and taking actions to reduce the odds that cyber threats could leverage them again;
- Follow up: research on the incident to understand how it occurred and identify additional measures and corrective actions to prevent the odds that similar incidents might happen in future – a key phase to improve the internal processes and strategy to respond even better to potential threats and attacks.