A new breach readiness survey found that far too many companies are dragging their feet to establish formal incident response plans.
The survey, published by RSA on Tuesday, compared the responses of 170 security practitioners in 30 countries, with feedback from members of the Security for Business Innovation Council (SBIC), which served as a “best practices benchmark” for the study. The SBIC consists of security execs from Global 1000 companies, like General Electric Global CISO Timothy McKnight, Johnson & Johnson Worldwide VP of Information Security Marene Alison and JP Morgan Chase CIO for Commercial Banking Anish Bhimani.
Unsurprisingly, all 12 members of the SBIC who participated in the survey, including McKnight, Alison and Bhimani, said that their companies had formal incident response plans (IRPs) in place. Within the larger pool of non-SBIC respondents, however, 30 percent said they did not have such plans implemented – and among those who did, 57 percent admitted to never updating or reviewing their IRPs.
In the report (PDF), “incident response” is defined as a “comprehensive, premeditated approach to protecting applications, data and information infrastructure from cyber-attacks.”
“Process, people, procedures and technologies are core elements of a thoughtful incident response plan,” the report continued. “Incident response planning is dynamic. Enterprises that fail to evaluate incident response plans against new threats expose their systems, data and infrastructure to attack.”
The survey measured breach readiness through four major areas: incident response, content intelligence, analytical intelligence and threat intelligence. Of note, another major gap between SBIC's respondents and answers representing the industry “at-large,” was in the threat intelligence category. When asked if their organisation augmented internal threat intelligence with data from external sources, all of the SBIC respondents said that they did. Only 43 percent of the industry at-large said the same, however.
In an interview with SCMagazineUK.com, RSA's Chief Trust Officer Dave Martin, an SBIC member who also participated in the survey, said that there are many forms of external intelligence available to enterprises so that they are “not just relying on basic signatures and patterns [they've] determined internally” to identify and properly respond to breaches.
“[They can ask] what happened to a competitor last night?” Martin offered. “Can you bring that back to your environment to see what's happening now, or go over the last 30 days worth of data to see if it happened previously?”
In the report, the SBIC advised that a combination of vulnerability data, open source threat data, and external threat intelligence feeds from third parties be collected as a threat intelligence best practice. According to Martin, industry-specific ISACs (information sharing and analysis centres) have particularly served the finance and health care sectors well in improving preparedness, due to alerts on threats that are targeted in nature.
When establishing incident response plans, he added that organisations must keep in mind that they need to know what they can do to be prepared for a breach, "not assuming 'it won't happen to us; it will happen to someone else.''
Ben Doyle, CISO, Thales Australia and New Zealand, echoed his sentiments in an email to SC: “People and process are more critical than the technology as it pertains to incident response. First, a security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour. But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organisations improve response procedures over time.”