As a sector, we often get swept up by the latest defense tactics and technology and overlook the importance of the basics. Take incident response planning, widely regarded as a must-have by security professionals but which many UK businesses consider unimportant.
According to the Cyber security skills in the UK labour market 2023 report, a quarter of businesses don’t regard incident response skills as essential. Almost half said they weren’t confident they could put together an incident response plan (IRP), which led to 41% saying they were not very or not at all confident that they would be able to deal with a cybersecurity breach or attack.
Those figures correspond with the latest UK government Cybersecurity Longitudinal Survey, which revealed that many organizations do not have a formal IRP. Those that did reported that the level of detail in that plan varied greatly, from simply naming a person to report to, repurposing IT and risk IRPs. Similarly, the UK’s Cyber Security Breaches Survey 2023 found that only 21% of businesses have a formal IRP, up by just two percentage points from 2022.
Understanding the Value
So why aren’t businesses implementing IRPs? It’s clearly outlined as a key building block in the NCSC’s Ten Steps to Cybersecurity, is a pre-requisite for many cyber insurance policies and has arguably shown its worth in regulated industries such as communications and finance. Yet many don’t see the value.
Firstly, there’s a general perception that in the event of a breach, you just deal with it. Smaller businesses worryingly seemed to regard it as the responsibility of their IT or cloud service provider. However, not having an IRP in place can be a significant factor in how much impact an attack has. The longer an attack goes on, the more damage it can do and the more costly it is to resolve, so driving down mean time to respond (MTTR) by expediting the process is key.
There’s also clear evidence that far from being a loss leader, an IRP saves both time and money. A recent Ponemon report revealed that the cost of resolving a data breach was 58% higher for those without an IRP and that an IRP can generate higher cost savings over time. This is because a post-incident review can quantify the real cost of the attack and use the experience to improve practices going forward.
Learning the Hard Way
Yet many don’t implement an IRP until they’ve had to cope without one. The Longitudinal Survey found that 60% of businesses were more likely to put an IRP in place following a breach, revealing that it still tends to be a measure brought in after the horse has bolted. It’s still very much a reactive measure.
Moreover, those with a formal IRP often didn’t realize the importance of keeping it up to date. The Longitudinal Survey found only 43% subjected their IRP to testing last year. Reviewing and testing the IRP is vital to ensure the right people are contacted in response to the attack type and the correct protocols followed for external reporting. It’s here where it can really pay to carry out simulated attack exercises that put the IRP through its paces in a safe context.
Another benefit to holding these reviews is that they can help resolve communication issues between IT, other departments and senior management. Such disconnects, which can significantly delay recovery, hamper medium to larger-sized businesses. However, the Breaches Survey found practising the IRP could help iron these issues out.
Prioritize the Process
Today, while IRPs are all but mandated under cybersecurity frameworks such as ISO 27001 or PCI DSS, they’re not included in baseline standards such as Cyber Essentials (CE), which tend to promote technical controls. Perhaps this needs to change when CE is revised to become more flexible. In the meantime, the NCSC has some great advice on how to get started, from the small business guide and developing an IRP to forming an incident response team (CSIRT).
The reality is that every business, no matter how small, should have an IRP that provides them with the guidance needed to respond methodically to an incident and help mitigate its impact. Tailored to the business, this should be practised so that people understand their responsibilities and feature a post-event wash-up that sees lessons learned and improvements made. In this way, the business can mitigate any fallout and return to business as usual as quickly as possible.
Of the third of businesses that suffered a cyber-attack last year, 37% said it impacted operations and a quarter experienced negative consequences, such as loss of money or data, according to the Breaches Survey. If businesses don’t get the foundations right and put in the processes to counter such attacks, they will inevitably find recovering a greater challenge.