Cybersecurity Incident Response Plans Need Far More Attention

By Robert Ackerman Jr.

Late last summer, T-Mobile, a major cellphone service carrier, once again made negative headlines on the cybersecurity front. It announced that hackers had confiscated information under its wings from more than 50 million people, some not even current customers, including their names, Social Security numbers and driver’s license numbers.

Such breaches, unfortunately, have become common. But they are downright rampant at T-Mobile.

This attack marked its fifth breach since 2018 and, in fact, the company suffered yet another breach – albeit apparently a small one — late in December. In this case, it reported that attackers accessed “a small number of” customers who fell victim to the theft of personal information and/or so-called SIM swapping attacks, which enable hackers to often bypass two-factor security authentication.

This run of bad press isn’t as rare as it may sound because many breached companies are commonly breached yet again within a year, raising the question of whether companies are doing enough to bolster cybersecurity. Most are spending more on improved cybersecurity technology, but many companies and their employees still aren’t carrying their weight. Among the biggest causes of breaches, for instance, is spear phishing, which happens mostly because employees too often fail to spot it and then sidestep it.

A particularly big corporate weakness is a widespread lack of broad and thorough Incident Response Plans (IRPs) – specific directions for dealing with specific attack scenarios to mitigate damage and reduce breach recovery time and clean-up costs. Without an IRP in place, companies may not know enough to contain an attack and may not even detect it – and hence risk losing a chunk of their customer base. A data breach obviously never instills confidence in customers, but this image is substantially mitigated if the damage is rapidly and professionally addressed.

In the big picture in security, improvement of IRPs is hardly all companies must do to mitigate cyber breaches. Other needed steps include the adoption of more automation to monitor intrusion detection systems, better cybersecurity training of rank-and-file employees, and more creative hiring of cybersecurity professionals to address a mammoth talent shortfall.

Nonetheless, IRPs arguably belong at the top of the list of required cybersecurity improvements because the fact is that virtually all sizable companies have already been breached and may well be again — or eventually will be breached. This makes a strong incident response plan imperative.

A few statistics are telling. According to SECUDE, a global security solutions provider, 27 percent of Fortune 500 companies have experienced major data breaches in the past decade. These businesses typically have the most expansive cybersecurity protection. In addition, in a survey by Black Hat USA, nearly two-thirds of security pros polled said they believe their organizations will have at least one major cybersecurity breach over the next 12 months.

Given this, it’s clear that there is a huge disconnect between the breach landscape and the rate at which corporations are embracing Incident Response Plans. According to a global survey of business preparation for cyberattacks in 2020 conducted by Ponemon Institute and sponsored by IBM Security, organizations have slowly improved their ability to plan for and respond to cyber-attacks – but, ironically, have less ability today than in recent years to contain an attack. Among the reasons, according to the Ponemon survey, is a lack of specific playbooks for common types of attacks.

Most disturbing, the survey also found that the vast majority of organizations surveyed – 74 percent – have no IRPs at all or implement their plans inconsistently.

Clearly, companies must do better. What specific measures should they adopt in creating a strong IRP, preferably applicable to both big and small companies? Here are some tips:

+ Preparation. For starters, assemble the players on the Incident Response Plan team. After choosing them, make sure their contact information is stored and that they understand their particular role and how they fit into the team. A team member – one equipped with a line of communication to management — has to be appointed to take overall responsibility for incident response and be empowered to act quickly.

+ Detection and analysis. The goal is to stop the breach as quickly as possible. The National Institute of Standards and Technology provides a list of some of the more common methods of attack, which can be used as a starting point to determine how and where the attack originated. The company should also consider its security vulnerabilities and whether an attack was launched against one of them. Breached accounts must also be disconnected and targeted departments shut down.

+ Containment and recovery. When hit by a breach, ignore an instinct to securely delete every possible source in a bid to get rid of the culprit. This isn’t good in the long run because you would be destroying important evidence required to determine where the breach started and to devise a plan to prevent a repeat attack. Instead, contain the breach so it doesn’t spread and further damage the company.

+ Eradication. After containment, find and eliminate the root cause of the breach. All malware must be securely removed. Security patches need to be installed and passwords for users with breached accounts may also need to be reset. Updates also should be applied.

+ Post-incident priorities. Analyze how you can identify similar incidents in the future and stop them more quickly. Assess the cause of the incident and the severity and damage. And begin the notification process. Privacy laws such as California’s Consumer Privacy Act and Europe’s General Data Protection Regulation require public notification of a breach. Affected parties should also be notified to help protect them from identity theft or other fallout.

A constant process of continual improvement is necessary, in part because cyber-attacks are always evolving. After everything is cleaned up, a post-event meeting with the IRP team is essential to learn what can be gleaned from the data breach. Document the findings and determine what went well in the IRP and not so well. Lessons learned from real and mock events strengthen systems from future attacks.


No posts to display