I had the pleasure of attending the "Do Data Breaches Matter? Mitigating Impact" session at the SC Congress last month ( details here http://www.sccongress.com/london/programme/section/4505/ ).

The panel consisted of:

  • Beverley Allen CISA, Information Security Professional, Independent|
  • Bob Tarzey, Analyst and Director, Quocirca
  • Sarb Sembhi CISM, CTO CISO DPO, Virtually Informed

There were some great points made on incident response, which I've summarised below:

The stages of incident response

The actions that result from an incident being detected and becoming a breach fall into the stages below:

Stage 1 - The company wonders why it's been attacked, is in shock to discover it has been successfully compromised.

Nothing happens during this stage.

Stage 2 - Staff ask "What do we do? What's the plan? Where's the plan?"

A lack of leadership will be shown up here.

Also people will think they know better than the plan and will act independently.

It will be illustrated that the plan has never been tested and does not work in practice.

Stage 3 - Dealing with the breach

I.T. teams are likely to take control of the situation because the compromise will be I.T. based, and they will fall back on, or create, informal processes if no formal processes are available.

Internal teams may make land grabs during incident response, or actively avoid responsibility in order to avoid blame, both responses are counter-productive.

Stakeholders will want updates during the incident and afterwards, this capability should be planned for.

Everyone has a role, even if that role is staying out of the way.

Stage 4 - After the breach has been resolved.

It is important here to review the actions that took place in the previous stage, so that the breach can be learnt from in future. If an ad-hoc response method was used it's extremely unlikely that sufficient information will be available.

While the impact on share price and customer trust can be insignificant over the longer term, don't underestimated the impact on staff morale on the long term viability of their employer, also that scrutiny by regulators and auditors will be intense and ongoing.

Stage 0

Not a term that was used on the day, but looking at the stages above much of the conversation covered what was required before an incident response plan had to be initiated:

Part of thinking ahead is determining who is in charge of the breach response, and who should be contacted, and how.

This is the most important stage to get right, and is the foundation for best practice for all the other stages.

Companies don't have time to be breached, so make time now for your preparation - Sarb Sembhi.

"You have to do all of your thinking up front, test it, and test it again" - Beverley Allen.