According to a recent poll carried out by cybersecurity firm NTT Security, 59% of respondents said that they were not confident that they could resume “business as usual” 24 hours after a cyber security incident. The poll was conducted over Twitter and attracted approximately 5,500 participants.
Businesses were also asked about what their main concerns were when responding to a security incident. 59% of respondents said that they were concerned about a “lack of skills in house”, whereas 41% were concerned about a “lack of budget”. 64% of respondents said that “mitigating the threat” was their number one priority during the first 24 hours of a security incident, while 36% said their number one priority was “identifying the cause”.
Incident Response Plans Are Underutilized
According to a study carried out by the Ponemon Institute, 77% of respondents still lack a formal incident response plan (IRP), or at least one that is consistently applied across their organization. This figure changes little from one year to the next, as does the widely held belief that “it’ll never happen to us”. Having an incident response plan in place is crucial to minimizing the impact of a security incident. Given that the respondents of the NTT poll felt that a lack of skills and funding was a primary concern, business may need to focus more of their attention on automation.
Incident response consists of seven widely cited stages, which include Preparation, Identification, Data Access Security, Containment, Eradication, Recovery and Lessons Learned. There is plenty of information about these stages online, including this seven-step plan to better incident response, so I won’t provide an explanation about them here. However, the implementation of each of these stages can be greatly improved with the right technologies.
How to Improve Incident Response Implementation
These days there are a number of affordable tools which can automatically discover and classify a wide-range of data types such as protected health information (PHI), payment card information (PCI), National Insurance numbers, and a lot more.
Additionally, some classification tools can automatically encrypt sensitive data as it is stored. Discovery and classification is a crucial stage in data security as it makes it much easier to assign the correct privileges to the correct types of data. There are a number of DCAP (Data-Centric Audit & Protection) solutions which provide data discovery and classification functionality “out of the box”.
DCAP solutions are designed to streamline the process of identifying suspicious user activity. They enable administrators to detect any deviations from what are considered “normal” patterns of behavior and can automatically detect changes to user accounts and any sensitive data they are assigned to. If a suspicious event has been detected, an alert can be sent to the organization’s security team to enable them to investigate and respond to the incident in a timely manner.
Alternatively, an automated response can be initiated which can stop a specific process, disable a user account, shut down the server or anything else which might prevent the attack from spreading. DCAP solutions can monitor privileged mailbox accounts, detect and mange inactive user accounts, and a lot more. Naturally, when dealing with security incidents, visibility is key./p>
DCAP solutions provide companies with a dashboard where they can view a summary of all events that have taken place. They can also generate a wide-range of customizable reports, which can be used to satisfy regulatory compliance requirements and provide the insight necessary to carry out a forensic investigation. Once the threat has been identified and removed, administrators are required to restore their system to its operational state. If all that was affected was user account permissions, a DCAP solution can simply rollback/restore any changes that were made./p>
Learn more about LepideAuditor, a Data Security Platform providing DCAP functionality.