The term 'proactive incident response (IR)’ might seem like a contradiction in terms. How can you be proactive around something that has not happened yet, and hopefully never will? Yet you can prepare for potential incidents ahead of time, and that preparation can save you both time and money when it comes to a real-world incident. The challenge is how to turn this kind of investment into something that provides your organization with value rather than being perceived as a straight ‘insurance’ cost that does not get the appropriate level of support.
One good element is that businesses today recognize that they have to invest in security. The market overall keeps growing – IDC has found that spending on IT security products and services will go up by 10.3% in 2023, reaching $71bn annually by 2026. Companies are keener to have cybersecurity expertise on their boards to help them manage risk, and more Chief Risk Officers will report directly to the CEO, according to Forrester.
However, these increases in focus and spending still have to be directed correctly. When attackers obtain initial access, they can move to data exfiltration and deploy ransomware in hours. This makes detection essential but puts even more pressure on businesses to ensure the response phase is carried out effectively and efficiently.
Key steps include:
- Bridge the gap between risk reduction and IR planning. To be truly proactive in IR planning, it’s important to recognize the gap that exists between risk reduction in theory and practical planning for IR. You need to build in cyber resilience up front and proactively tackle this gap between disciplines because it will drastically improve your outcomes if and when you suffer a breach.
- Work with your IR provider. Work with your IR provider before a breach occurs to optimize time to value in IR. This includes assessing your actual state of readiness, identifying potential barriers and completing administrative work ahead of time. Seeking guidance from your IR provider on log configuration and pre-breach forensic tool deployment can also help save valuable time when an event occurs.
- Recognize the difference between tabletop exercises and reality. Carrying out preparatory exercises around potential incidents can help you spot gaps in your IR planning, but it’s not enough to do this once. Going through a real-world event is stressful, and people don’t respond well to too much stress. Repeat your exercises to get people used to following your processes, and mix up your scenarios to make it easier to see issues. This familiarity can help reduce the impact of stress if the worst takes place.
- Anticipate problems and iterate your plan. Having multiple copies of your IR plan in different formats can help ensure your team is well-prepared and experienced in dealing with a security incident. Additionally, iterating on your plan regularly can keep it up-to-date and ready for use. This ensures that your team is aware of all their responsibilities and can keep the rest of the business up to speed on theirs.
- Be ready for the unknown. Not all risks can be avoided, and it’s important to be ready for the unknown. Encouraging your team to have a ‘ready for anything’ mentality and continuously improving your detection and response capabilities can help prepare you for new threats and attacks.
- Keep learning from your process. Conducting post-mortem analyses can help identify lessons learned and make appropriate changes to your people, process and technology. This keeps your IR processes ready for use and ensures you do not rely on outdated plans.
By taking a proactive approach to IR planning, businesses can identify potential gaps in their IR process, familiarize the rest of the organization with what to do during a breach, and make their security investment more likely to pay off.