Type your search and hit enter
When Bad Things Happen to Good Companies

When Bad Things Happen to Good Companies

If you don't have a clear cyberincident response plan in place, you risk losing millions of dollars

It Ain't Over Till It's Over

Finally, after every incident, CIOs or their security execs need to lead their incident response teams in a post-mortem review process that examines how well the incident team dealt with the attack. Did team members follow the response diagram? Did staff members handle the incident calmly? Did everyone on the contact list respond promptly? Should the contact information be updated or changed in any way? And, finally, do you need to add anyone to the team or adjust the procedures?

"If you don't learn from what you've just experienced, you open yourself up to more attacks," says Raymond James Financial's Fredriksen. The review is your chance to improve the plan and the team so that you can work out any kinks before the next incident strikes. Fredriksen recommends doing a risk analysis after every incident to make sure as many vulnerabilities as possible are secured.

After the review, you will find it useful to complete an incident report for your records. Among other details, the report should include all the information you've gathered about the incident, both during the response process and in the post-mortem. That way, if you decide to pursue an investigation, you'll have all the evidence on hand.

Remember that the steps to a clear, planned response are not complicated. Once you are sure that an incident has actually happened, determine whether it's a major or minor event.

Decide whether your priority is to pursue an investigation and allow the incident to play out, or to shut down the problem as quickly as possible.

And finally, work to defend against further attacks. Take a look at the way in which the attack happened and determine if an application needs to be patched or a port reconfigured. Take whatever action is necessary to prevent the attack from happening again. And be sure to let everyone on the response team know that the problem is fixed.

IT threats may be coming faster and faster. But by having a clearly defined response process, you can prevent attacks from devastating your systems. "Plans are not a panacea," Reuters' Macartney says. "But if you use them strategically, you can limit your exposure to risk."

What Does a Security Incident Cost Your Company?

Determining the cost of a breach can be difficult - it often depends on the type of event that occurred and what damage, if any, the prolonged exposure added. We've found that few hardy souls are willing to buck up and disclose how much a security breach cost them. Part of the reason for their reticence is that they can't tell you how much it cost - their incident response plans are either nonexistent or they lack the means to track how much the incident cost in terms of lost productivity, systems downtime, staff overtime and estimated damage to the company's reputation (see "It's Not Easy Being Breached", February CIO). Then, when incidents do occur, no one has the wherewithal to sit down and take notes to determine how many hours it took to stave off a hack, how many pizzas were ordered for people working until 4am, and how many hours of downtime the systems suffered.

Creating a method of tracking the events and effects of a cyberattack at the time it occurs is both simple and smart. By making incident documentation a part of your response plan, you avoid trying to recount the incident and estimate its cost after the fact.

Here are the basic questions to ask when evaluating an incident:

  • What happened?
  • How did it happen?
  • When were you aware of the incident?
  • What is the damage?
  • What systems have been affected?
  • Are they working normally now?
  • Which employees are affected?
  • Who else is aware of the problem?
  • What is the suspected attack method?
  • What information is compromised?
  • Is it sensitive?

Those questions and their answers should be recorded as part of an incident reporting form, a scorecard of sorts to keep track of events and help you document any damage or costs to your company.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ArielAusCertCERT AustraliaExposureFederal PoliceHISLucentLucent TechnologiesMellonRaymond James FinancialReuters AustraliaSecurities Industry AutomationSilverstone

Show Comments