Threat Intelligence

07:00 AM
Connect Directly

Incident Response: Having a Plan Isn't Enough

Data shows organizations neglect to review and update breach response plans as employees and processes change, putting data at risk.

Businesses are slowly improving their data breach plans, but lack of executive involvement, failure to review and update plans, and regulatory and compliance challenges prevent them from being able to respond to security incidents with increasingly severe consequences.

A new study – entitled "Is Your Company Ready for a Big Data Breach?" – conducted by the Ponemon Institute and commissioned by Experian, polled 643 professionals in IT and IT security on their organizations' data breach response practices.

They learned 52% of respondents rate their response plans as "very effective," slightly up from 49% one year prior and 42% in 2016. Still, only 36% feel sufficiently prepared to respond to incidents involving business confidential information and intellectual property.

It's slow-going progress at a time when more businesses are disclosing breaches and realizing their far-reaching effects. Nearly 60% of respondents reported a data breach in 2018. Of those, 73% reported multiple. Incidents are causing greater financial damage: A 2018 Ponemon study showed the average consolidated cost of a breach is $3.86 million. Fear of reputational damage is also top-of-mind among 27% of respondents who believe a breach would tarnish their brands.

Most (92%) companies have a data breach notification plan in place. The problem is, most companies with a breach response plan fail to adapt to change. Forty-two percent of respondents have "no set time period" for reviewing and updating their response plans, and 23% haven't reviewed or updated their plans since it was put in place – "which may be years at a time," says Michael Bruemmer, vice president of data breach resolution at Experian.

"Where we see simple mistakes being made it, the plan is set on the shelf and done once, then employees and processes change and they don't update the plan," he explains. "In data breach response, timing and accuracy of information is really important."

It's one thing to have a good response, but there's a great penalty if your company suffers multiple security incidents and doesn't alter its plan to reflect what was learned from them. It should regularly follow up, update the plan, and practice the process of incident response, researchers note in the report.

Unpacking Response Plans
Which incidents do companies plan for? Most (87%) plans include guidance on how to handle a distributed denial-of-service (DDoS) attack that could cause system outage, 80% address loss or theft of personally identifiable information (PII), and 79% address loss or theft of data on customer associations that could lead to brand damage. About three-quarters include guidance on loss or theft of payment data; 73% address loss or theft of intellectual property or confidential business data.

"Many companies are among those that recognize the sensitive PII in their possession and know they are an attractive target," Bruemmer says. They know they need to have a plan regardless of whether they've already been hit. Still, "a vast number of businesses only learn that their company needs to have a plan in place once the security incident occurs," he adds.

Bruemmer advises organizations to form a data privacy program or job-specific security or privacy training program for employees who have access to PII and other sensitive information. Twenty-seven percent of businesses don't have this type of program, he adds, and people who have admin access and handle PII should be trained on how to avoid cyberattacks.

"The blanket approach that everyone takes the same training ... that used to be the norm five years ago. That can't be the norm now," he explains.

Breach Response's Biggest Burdens
Cloud complicates breach response, researchers report. Sixty-three percent say lack of visibility into end users' data access is their biggest barrier in improving breach response. Sixty percent say the proliferation of cloud services is another major challenge, and 43% are concerned about the lack of security process for third parties that handle their corporate data.

Lack of expertise may have fallen in fourth place, listed among only 37% as a barrier to breach response, but more people have cited this as an obstacle over the years. Less than one-third worried about lack of expertise in the 2017 survey, which was up from 29% the year prior.

Some types of security incidents pose a greater challenge than others. Only 21% of respondents expressed confidence in their ability to handle ransomware attacks, and 24% said the same for spear-phishing, researchers found. Less than half (47%) educate employees on spear-phishing.

Organizations also face compliance and regulatory challenges, Bruemmer points out. The EU's General Data Protection Regulation (GDPR) went into effect in May 2018; since then, 59% of respondents report their organizations' plans now include processes to handle an international data breach, up from 51% in 2016. However, GDPR rules are tough to comply with, and only 36% of companies say they have a high ability to comply with the data breach notification rules.

It's Time for Execs to Chip In
Senior leadership's involvement in breach response is "mostly reactive." C-suite and board members mostly want to know whether a material breach took place and generally don't know about the specific security threats to their organizations. Only 22% of respondents say the C-suite regularly participates in response plan reviews; 10% say the same for board members.

About half (49%) of respondents say executives don't know about response plans, and 81% think their response plans would be more effective with executive involvement. They also cite a need for more drills to practice incident response and for more skilled infosec employees.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-25
A weak password recovery process vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via a hidden Close button
PUBLISHED: 2019-03-25
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-...
PUBLISHED: 2019-03-25
The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, ...
PUBLISHED: 2019-03-25
D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-8...
PUBLISHED: 2019-03-25
Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.