Make the Right Play: Document and Automate Incident Reponses Processes

By continuing to use this site, you agree to the use of cookies. More information. Accept

30/10/2019 |

Make the Right Play: Document and Automate Incident Reponses Processes

Defined processes have the biggest impact on being
able to react swiftly to incidents in incident management.

traffic chaos on street

Skill, knowledge, passion. You expect all of these from top football players in much the same way that you expect them from top corporate security professionals. But, even with the best and brightest on the field, imagine what would happen if they didn’t have a playbook from which to work? Chaos! Players wouldn’t know where to be, how to offer support or what their individual roles were. You can almost picture players running in circles, bumping into one another and getting in the way of defensive actions like little kids who are just learning the game.

Of course, simply having a playbook does not 100% ensure success, but it does reduce some of this confusion. It minimizes mistakes. And, most importantly, it can save precious moments that mean the difference between scoring a goal and losing the game.

Like on the field, swift effective incident responses require a playbook so that all stakeholders know what is happening and what is expected of them.

IT Professionals Want Corporate Security Processes

In a recent survey of IT professionals throughout Germany, Brazil and the US, most (61%) indicated that they were dealing with security incidents at least once per week. And, half reported that their businesses have lost money due to attacks. These alone are frightening numbers. They lend authority to the claims about how much danger exists from cyberattacks.

While those surveyed had different opinions about how well prepared their businesses are to respond to incidents, there was no disagreement on one fact: Across the board, IT professionals agreed that having more clearly defined processes for incident management would have the biggest impact on swiftly handling incidents.

But, why is this so important?

A well-known industry fact is that being able to respond quickly to an incident reduces its overall impact.

Incident Response Happens Faster

A well-known industry fact is that being able to respond quickly to an incident reduces its overall impact. In fact, the 2019 IBM Cost of a Data Breach Report, stated that taking longer than 200 days to contain a breach costs companies an additional USD 1.2 million.

When corporate security processes are clearly defined, responses happen faster every step of the way:

  • Those who first become aware that a breach has occurred know what to do to report the incident.
  • The incident response team knows how to initiate emergency efforts.
  • Leadership and regulatory organizations are made aware of the situation almost instantly and can swiftly get involved.
  • The public relations team can start implementing a plan to protect consumer trust.

When well defined processes are in place, everyone understands his or her role and can spring to action instead of waiting around for direction and coordination that could waste valuable time and money.

Processes Make Documentation and Compliance Easier

Of course, once the incident has been contained, forensic efforts and compliance issues become critical. Here again, having processes in place helps to reduce the workload for your incident response team. From the moment an incident is suspected, documentation should begin and clear guidelines should specify what details must be captured.

Not only do documentation processes help capture relevant details as the incident is unfolding, but they can also aid in proving that compliance requirements were handled as necessary.

Each organization is different, but processes should define how and what to document. For instance, your team might use a ticket system to securely capture information like:

  • Names and contact information of impacted users
  • Incident description
  • Uneditable date and time information
  • Details of remediation steps
  • Updated information about configuration items
  • Notification history

Not only do documentation processes help capture relevant details as the incident is unfolding, but they can also aid in proving that compliance requirements were handled as necessary: Were the right people informed at the proper times? Were the appropriate actions taken to mitigate the impact of the incident?

Process Automation Reduces Errors

And, of course, there is no room for error when an incident occurs. Documented processes are a great first step: They lend structure and order during a time of chaos.

But, manually following these processes can be challenging and can lead to mistakes. Perhaps key personnel aren’t notified as expected. Or, maybe an incident is mistakenly classified. Whatever the case may be, when human beings are responsible for following a process, there’s room for mistakes.

Incident response automation can step in to help reduce these errors. Many events that are routinely handled during the incident response effort can be initiated and integrated through technology. Notifications can be triggered automatically. Data can be gathered from multiple sources instantly. Approvals can be requested as soon as all necessary details have been documented. Status and dashboards can be updated seamlessly. Automation helps move the documented processes forward in a more error-free way.

Automation can help reduce costs too. In fact, in Accenture’s 2019 The Cost of Cybercrime report, one of the top three recommendations for improving cyber security value was that “Automation and advanced analytics can be used to investigate cybercrime and enhance recovery efforts, as well as being applied to supplement the work of scarce specialist security personnel.”

As a cyber security expert, it worries me that so many IT professionals report that their organizations encounter attacks at least once a week, because very few of these are ever reported. Clearly the threat is even more prevalent than what makes headlines. For this reason, I encourage companies to take steps immediately to protect themselves. Clear incident response processes and automation are necessary to keep businesses safe from inevitable cybercrime encounters.

Text:
Photos: Jana Sabeth on Unsplash

Share the Story