Infosecurity Europe 2013: Security teams must plan for breaches

No organisation can make itself completely secure. And this makes it all the more important to have an incident response plan in place for when a breach does happen.

This was the focus of a panel discussion at Infosecurity Europe 2013, which looked at how organisations can prepare an enterprise-wide response to cybersecurity incidents, and ensure that all parts of the business, not just IT, are ready when the worst does happen.

But the key, the panel found, was to focus less on technical security measures and more on raising security awareness among staff, and planning an incident response.

Response teams need to be drawn from across the business, including IT but also legal, human resources and even public relations. And staff should be given the chance to put their responses to the test, through regular exercises.

And the first step is to ensure that staff can identify a security breach or threat as early as possible: an organisation's defence will depend on how quickly a threat is picked up and isolated, giving the experts time to respond.

"You have to communicate the message, so that people know what to look for," said Tracy Andrew, information security and compliance officer at Field Fisher Waterhouse, a law firm. "We can give people tools and technology, but that message has to be as pervasive as possible."

"Each individual has to be an extension of my security team, so we can identify and intercept a threat as soon as it happens, or even before it happens," agreed Vicki Gavin, head of business continuity and information security at The Economist Group. That, she said, allows the IT security team to step in as quickly as possible. The company runs regular exercises, so that staff can put their emergency responses to the test.

Head of cybersecurity and response at the Inland Revenue, Edward Tucker, pointed out that automated tools provide a vital starting point for security, but this has to be coupled with a good understanding of the internal IT and data environments, and of the type of exceptions that might show that an attack is taking place.

"Technology will get you so far, but you have to fuse intelligence with knowing what normal looks like," he said. This allows security teams to spot anomalies.

But an effective response relies on a well-drilled plan, as well as early detection. "You need to think about these things in advance and have a plan in place," said Gavin. "Ask what your organisation is actually at risk from, and how are you going to trade if that happens? The assumption must be that it will happen."

The organisation's response cannot, though, rely just on IT. "It is not just an IT problem," said Tucker. "Stakeholders for incident management will be across the organisation. You need to know which business areas. You need experts from across the business, and you need to be able to pick up the phone and ask for help."

The point was echoed by Brian Honan, CEO of BH Consulting. "You have to understand your business and how it operates, and when you might be at your most vulnerable," he said.


What’s Hot on Infosecurity Magazine?