Why incident response is high on the executive agenda
Today, most organisations’ applications and data run in a blend of public and private clouds, and their own on-premise infrastructure. These hybrid IT environments are more difficult to secure and businesses need to adopt a dynamic approach to defending against cyber threats.
Incident response can no longer be seen as simply a best practice – rather, it’s an obligation of due diligence. It’s now a topic that’s firmly on the executive agenda.
We recently published the Executive’s Guide to the 2017 Global Threat Intelligence Report which was compiled from data collected by NTT Security and other NTT operating companies from the networks of 10,000 clients across five continents, trillions of security logs, and six billion attempted attacks launched during 2016.
The Report reveals some interesting insights on how prepared organisations are to deal with a breach and the types of incidents that are most commonly occurring.
There’s an encouraging shift towards prioritising incident response
In 2016, we saw an 11% year-on-year improvement in terms of organisations actively maturing their incident response preparedness.
Globally, 32% of organisations had a formal incident response plan in 2016, up from an average of 23% in previous years. This is encouraging and suggests that organisations are starting to realise that being prepared and having a tested response plan, coupled with actionable threat intelligence, can limit the impact of a breach, while also supporting clear business justification for that plan.
Phishing is the cause of most incident response initiatives
In 2016, over 60% of incident response engagements that we were involved in related to phishing attacks. Four industries accounted for 77% of all phishing attacks – business and professional services (28%), government (19%), healthcare (15%), and retail (15%).
Malware ─ which includes various types of malicious software including ransomware, bot droppers, and payloads ─ was also prevalent in incident response engagements.
Who’s being targeted?
A total of 59% of all incident response engagements occurred in four industries – healthcare (17%), finance (16%), business and professional services (14%), and retail (12%). Of all incidents in the finance sector, 56% were related to malware, while 50% of all incidents in the healthcare sector were related to ransomware.
The top targeted industries come as no surprise. Their maturity coupled with the value of data they hold, from personally identifiable information, personal health information, credit card data, to intellectual property, make them lucrative targets for cybercriminals.
What can you do?
There’s much that you can do to step up your level of incident preparedness. Here are some basic recommendations:
- Obtain executive buy-in – Security leaders must seek executive sponsorship to ensure visibility and accountability of risk as it evolves from the server room to the boardroom. The financial repercussions for failing to disclose security breaches continue to rise.
- Define roles and responsibilities – Many organisations only include members of the security team in the event of a major incident. At minimum, employees from the business, HR, legal, risk/compliance, security, and IT should be involved to co-ordinate an effective response.
Prepare incident management processes and playbooks – Many organisations have limited guidelines that describe how to declare and classify incidents. These are critical to ensuring a response can be initiated. Common practices for incident response also suggest organisations should develop ‘playbooks’ to address how incidents should be handled in their environment.
- Test, evaluate, and revise effectiveness – Simply having a response plan isn’t enough. It’s critical that you routinely test its
- Prepare technical documentation – You need comprehensive and accurate details about your network in order to make informed decisions and identify impacted systems, in the event of a breach.
- Maintain relationships with key external stakeholders – We live in a connected world with dependencies and links to a much larger ecosystem. We advise our clients to maintain relationships with government agencies, law enforcement, and trusted security vendors to support healthy dialogue and open information exchange.
- Update documentation regularly – As your organisation grows and roles change, it’s important to update documentation related to who’s involved in incident response activities. Updating contact information for vendors such as your ISP, external incident response support, and other providers is equally important.
For more insights and analysis of the global cyber threat landscape, download the Executive’s Guide to the 2017 Global Threat Intelligence Report. Register for our webinar here and discuss the findings live with us.