Too often, when a security event happens, businesses have no response plan in place, adopting an 'all-hands-on-deck' approach that sees various individuals and teams battle to evaluate the impact of the incident.
There is no clear understanding of who should do what, what and how the business should communicate to its customers, and - most importantly - how they can limit the damage.
This is where having an incident response (IR) plan becomes crucial. A clear and concise IR plan will test a business' ability to respond in the event of an incident, minimise the impact and strengthen the defences against future attacks.
The ultimate goal is to manage the situation so that it limits the damage to the organisation, while lowering recovery time and costs.
So, where are businesses going wrong when it comes to IR?
O'Shea Bowens, founder of Null Hat Security LLC, which focuses on incident response, Security Operation Centre (SOC) training and blue team engagements, says businesses need to look at what areas of the response program reflect reality and ask whether the security team is up to the challenge.
The strength of an incident response program can only be assessed during an audit or a breach, Bowens points out. However, there are methods that give individuals who are not part of the IR team better insight into the effectiveness of the program.
Speaking of what businesses should be doing better, Bowens says they should be testing their capabilities regularly, as well as testing their staff. "At Null Hat, this is a massive focus: quality assurance of the SOC's personal skill sets and knowledge."
Bowens will be presenting on 'Hacking incident response' at the ITWeb Security Summit 2018, to be held from 21 to 25 May, at Vodacom World, in Midrand.
Share