#Infosec16: Beware Incident Response Sucker Punch

A serious cybersecurity incident can hit an organization like a punch in the face, forcing IT teams out of their comfort zone even if they have a pre-formed response plan, according to a leading infosec boss.

Vicki Gavin, head of business continuity and information security at The Economist Group, claimed in a panel debate today that infosecurity leaders must deal with missing and incorrect data when an attack strikes.

Quoting Mike Tyson’s famous “everyone has a plan ‘til they’re punched in the mouth” remark, she explained that incident response teams must still find a way to make the best decisions they can.

To ensure they stand the best chance of success, IT security bosses must ensure “every single person knows what to do,” via repeated training and exercises, she added.

“Something bad will happen. I don’t know what or when it will happen. It doesn’t matter how high I build my walls the cyber-criminals will get through,” argued Gavin.

Instead of entering a cyber arms race in an attempt to stay one step ahead of the black hats, Gavin ‘s preventative strategy is to ensure staff form the first line of defense against attacks. Hacktivists trying to gain access to systems via phishing attacks are among the biggest threats to the publisher, she added.

To train staff in how to spot such attacks, she ran a five-week competition with the incentive of a prize for those who performed well.

“Once people know something you can count on them knowing it forever,” Gavin claimed.

It’s a position slightly at odds with experts sitting on a similar panel yesterday, which argued that awareness raising doesn’t always change behavior.

CISO Andrew Rose claimed that despite knowing the health risks, many of us continue to smoke – an analogy which neatly illustrates how awareness raising isn’t always effective in achieving the outcomes you want.

Other experts on the panel debate today have different ways of dealing with user training programs – proving that IT bosses must choose the best fit for their organization.

Vodafone has run quirky, viral-style comedy videos to educate staff, according to the firm’s global head of cyber defense, Andy Talbot, while ING Wholesale Bank CISO, Hem Pant, claimed he’s using gamification techniques.

Talbot advised security bosses to get the basics right – things like patching, vulnerability scanning and tightening access controls – and to try to be more proactive and adaptive in their approaches to match an increasingly agile foe.

He added that sometimes innovative data scientists can be brought in to help track threat info – even if they don’t have a background in information security.

Other advice from the panel – echoed throughout the show – is to engage PR, legal and other teams now so that everyone knows their role and is ready to jump into action when an attack strikes home.

What’s Hot on Infosecurity Magazine?