Data security breaches are inevitable … as demonstrated by TalkTalk [TalkTalk customer details at risk, after yet another internet attack]. Granted, while protecting data is an important aspect of business life, too much time is spent on defending information infrastructures, and very little on managing a security breach, otherwise known as incident response. Little or limited resources are set aside to identifying the operational issues that need to be addressed in order to effectively implement an efficient incident handling capability.
Interestingly this very point was noted in a report commissioned by HM Government;
it is notable that there has been a lack of progress amongst small organizations in developing information security policies. Since 2012, there has been little change in the percentage of small organizations who have formally documented an information security policy but the trend in those organizations suffering a breach has increased over this same time
In the hectic and complex business world, with small businesses believing themselves to be secure, it is understandable that they have little regard for the identification of appropriate incident response services, policies, and procedures. They are a business, and there are other aspects of running a business that have greater urgency, so consequently no consideration is given to the nature and scope of an effective incident response – this can be very costly, especially if the business is unable to persuade current customers [and more importantly, potential customers] that their personal and financial details will be kept safe and private.
Given that small businesses feel that cyber security breaches to be a one-off event, then naturally very little consideration will be given to the business functions that make up the incident response service; how those functions interrelate; how they interact with other internal business functions; and the tools, procedures, and roles necessary to implement an effective response.
This was also noted in the same report commissioned by HM Government; two-thirds of those organizations that did suffer a data breach, did not take
the time to assess what happened, understand the causes and implement measures which would prevent breaches from recurring. Failure to perform a review and learn the lessons will most likely increase the chance of a recurrence
Again as demonstrated by TalkTalk, [TalkTalk customer details at risk, after yet another internet attack].
I suspect the normal reaction for the majority of UK businesses caught-up in a data breach similar situation, would something very similar to a rabbit caught in a car’s headlights; paralyzed by the media spotlight with no plan.
But businesses need a plan, and in a series of future blogs I will outline a simple and cost effective way of building an incident response plan.