An analysis drawing on three years’ worth of data gathered by Verizon has revealed that while many enterprises assert they have cyber security incident response plans in place, in many cases those IR plans are poorly constructed and rarely, if at all, updated or tested.
The Incident Preparedness and Response Report prepared by the Investigative Response Team of the Verizon Threat Research Advisory Center (VTRAC) and released earlier this year is based on assessments of incident response plans and recommendations emerging from data breach simulation exercises the company has run with its customers.
While 79 per cent of organisations assessed by Verizon over the period 2016-2018 had an incident response plan in place, fewer than half (48 per cent) had what VTRAC considered a “logically constructed, efficient” plan.
“If you look from a 40,000 foot view perspective, from a ‘checking the box’ perspective, you will see that organisations do have an IR plan,” VTRAC managing principal Ashish Thapar told Computerworld.
However, closer scrutiny frequently reveals significant flaws, including IR plans that don’t cite external and internal cyber security and incident response governance and standards, he said.
“Thirty eight per cent stated that they had no legal or regulatory requirements,” he said. Forty one per cent of the organisations “partially” cited applicable regulatory requirements in the IR plan. “So that's impossible, right?” Thapar said. “Especially in today's world, where there are local or regional requirements, not only from a legal standpoint but also from a regulatory standpoint.”
Beyond domestic rules, some regimes, such as the EU’s GDPR, have global implications, he said.
“Having organisations not cover those important elements in their IR plan actually impedes their ability to understand what they really need to be prepared for, and what could be the impact if they are not prepared,” Thapar said.
In addition, only 40 per cent of the plans assessed by VTRAC “specified periodical reviewing, testing, and updating IR Plans,” the report stated.
“When we start going through the deeper layers, we start peeling off one layer at a time, we see that, actually, only 40 per cent of the organisations explicitly specified that it was it was to be periodically reviewed, tested, and updated,” Thapar said.
“They don't realise that this has to be a living document,” he said.
“Sometimes compliance requirements or regulatory requirements state that you have to have this kind of a document,” he added. “So organisations create such a document — and of course, there are templates available — but what they don't realise is that this document is just a guideline document. You have to have a very solid process, practice, understanding and maturity in an organisation to really ‘live’ this document on a daily basis.”
“It shouldn't happen that an auditor comes in and you show them an IR plan, and when you go back to your stakeholders and ask them ‘who will do this’ everybody starts pointing fingers at each other,” he said.
“That's where the confusion starts,” Thapar added. “And we have seen this. When we do investigations, I can tell you we have seen very, very, bad situations with companies.”
Sometimes organisations, particularly larger ones, can be hampered by the opposite problem of getting bogged down in bureaucracy.
“I think there is a fine balance that organisations need to achieve,” Thapar said. “And that can only come with testing. That's very, very important -- testing it every year, maybe twice a year or once in a quarter. It depends. The more you test it, the more you refine it to the specifics of your organisation.”