In my last blog entry, I discussed the first of three foundational elements for a security program: all of the people who interact with your organization’s systems and data. In this post we’ll tackle the next element of cyber security—policy and process.
For the purposes of this post, I am going to use these two terms synonymously. Policy is a critical element of security in large part because it functions as the bridge between people and technology (which I’ll tackle in the next installment of this series.)
A robust security policy is comprised of several critical components, including testing and optimization, and risk management planning. But in this post I want to focus specifically on incident response planning because it is essentially the barrier between you and chaos.
This entire blog series is structured around the idea of adopting an “assumption of breach” philosophy. That means that even if your organization has resources devoted solely to security, such well-trained users that can identify malicious threats and the latest and greatest technology, at some point you will be breached. Without an incident response plan, when that breach occurs you have no choice but to respond on the fly, which is problematic for several reasons.
First, when that breach occurs it is human nature for panic to set in—and panic leads to rushed decision-making and errors. Just the knowledge that there is a response plan in place helps keep your organization from descending into chaos. A documented plan also ensures that you don’t miss critical steps in the remediation process. This is because your policy preparation forces you to ask all of the most important questions that typically arise in the minutes after a breach is confirmed, such as:
- Who do I need to notify in my organization?
- What data was exposed?
- What technology or process should I use to determine if the breach is real?
- Will I need to alert customers?
- Do regulatory agencies or law enforcement need to be involved?
- Who is my back up?
It is also essential that any incident response plan be regularly reviewed, evaluated, practiced and updated. New threats are emerging constantly, so a static outdated policy will have little value once that inevitable breach takes place.
This area is still a blind spot for many organizations. A recent Experian survey found that 81 percent of organizations do have a response plan in place, up from 73 percent in 2014. Unfortunately, 45 percent of respondents say their organization either never practice responding to a breach or wait more than two years in between run-throughs. Additionally, only 34 percent of respondents were confident that their plan was effective. Drafting a response policy is a great start, but it is not the finish line—just like new technologies replacing legacy solutions, security processes must be continuously improved as well.
We’ve now covered two of the foundational elements that make up a security program. In the fourth and final installment of this series, I’ll discuss the role technology can and should play in a cyber security program.
I encourage you to read the entire blog series where we discuss how you can implement a strategy that allows your business to operate confidently and without fear: