Taking action on cybersecurity: The incident response programme

Organisations across the globe are grappling with an unprecedented number of cyberthreats. It means that, for CISOs, risk management is a key strategic objective. Anna Mazzone, MD and GM of UK and Ireland, MetricStream, discusses why cybersecurity incident response programmes are so crucial in today’s business world.

Across all industries, companies of all sizes recognise the importance of cybersecurity. After all, data is at constant risk. Protecting it is imperative, not just because stringent regulations demand it, but because failure to do so can be incredibly damaging to organisations and their stakeholders.

Yet, there are still gaps in how enterprises approach cybersecurity and, in many cases, they are not as prepared as they should be. Establishing a Computer Security Incident Response Team (CSIRT) can help plug the gap, enabling organisations to respond quickly, should an incident require it.

According to Cyber Security Ventures, the annual cost implication of cybercrime is projected to reach US$6 trillion by 2021. It’s a staggering figure that demonstrates the collective impact of cyberincidents and that all organisations – large and small – are at risk. In fact, last year’s cost of cyberattacks across UK small businesses has been estimated at £13.6bn.

By and large, companies recognise the threat. The annual cyber governance health check of the UK’s leading 350 companies found that 72% of boards consider cyberthreats a very high or high risk. Yet, despite this, only around one in five had undertaken a crisis simulation on cyber-risk in the last 12 months.  

Cyberattacks can have long and far-reaching consequences. Initially, there is an immediate impact from dealing with the incident. This can include service disruption and a potentially high cost of fixing the issue.

However, financial impact can be long-term, resulting from reputational and brand damage, not to mention potentially hard-hitting fines should the organisation be adjudged to have fallen foul of its responsibilities and relevant regulations.   

The potential for cyber-related incidents to occur therefore, poses a serious threat to businesses. It follows that the absence of a sophisticated cyber-resilience programme can put organisations in jeopardy.

What’s more, the cyberthreat constantly evolves. It would be a mistake to think that any response plan can be created and then effectively held in cold storage. It should be a living plan: constantly revised, updated, checked and tested. It is an investment in the business’ ability to prevent, mitigate and respond to cyber incidents and could help minimise financial damage and help protect the organisation and its reputation.

The Computer Security Incident Response Team (CSIRT)

The CSIRT is a centre of information security, incident management and response within an organisation. It is designed to quickly respond to incidents such as cyberattacks.

While it has a very practical application, the existence of such a team also helps foster a culture of security within the business, which is incredibly important if all employees are to develop and maintain risk mitigation and compliance behaviours.

However, before launching a CSIRT programme, it’s important to consider all operational and technical issues. These include equipment, security and resourcing.

Start by conducting a gap analysis of your current cyber programme: include your capabilities to respond to incidents and the mitigations that are currently in place to deal with cybersecurity incidents.

With this in hand, you can seek management support and buy-in to the programme, which will be essential for it to be successful.

Once you have this, you can begin determining the CSIRT strategic plan and go on to:

1. Gather relevant information
2. Design the CSIRT vision
3. Research best practices
4. Determine the standards and regulations you need to follow and adhere to
5. Outline the team and its structure
6. Prepare templates
7. Establish and communicate the CSIRT vision
8. Develop and document the programme, plan and playbooks
9. Train the team
10. Begin implementation
11. Announce the CSIRT
12. Evaluate its effectiveness

Building the right team

The CSIRT team should include:

• Business managers – they are the front line of the business’ processes and therefore need to buy-in to what the CSIRT is there to do and the authority it will need to have to make decisions should critical business systems have to be disconnected from the network or shut down
• IT – IT must be represented as they are custodians of the IT infrastructure and network within the organisation. Clear guidelines must be set on how IT and the CSIRT interact as well as ‘who does what’ should a response be triggered by an incident. The role of the CSIRT in making recommendations on security should be clear, as should the team’s access to network and systems logs for analysis purposes
• Legal – clearly, a legal representative is needed to address legal issues. Legal’s involvement in incident response efforts should be determined and stated. On a day-to-day basis, legal staff may need to review non-disclosure agreements, develop appropriate wording for contacting other sites and organisations, and determine site liability for computer security incidents
• HR – HR representative/s will develop job descriptions for CSIRT staff and be involved in the policies and procedures around employees’ access to and use of company IT and any associated systems and applications (including any belonging to third parties)
• PR – PR resources are needed when it comes to external communications, handling media enquiries in the event of an incident and providing guidelines for information disclosure policies and practices
• Security – existing security groups including physical security; responsibility may be shared between the CSIRT and security teams when it comes to resolving issues such as computer/data theft
• Audit and risk management specialists – these will be integral members of the team as threat metrics and vulnerability assessments will play a central role in planning the defence strategy.

It will be the role of the CSIRT to mitigate cybersecurity risks and tackle different types of breach scenarios. Therefore, the team must be well equipped to gather and analyse all relevant data and must have management support for the level of security required to protect sensitive information and critical assets from threats. This support includes ensuring budget is there to implement a comprehensive programme.

The team will become expert at both looking within the organisation – understanding its network traffic, its security controls, capabilities, resources and where threats can occur – and at looking outward to the environment the organisation operates in.

It will need to collect and develop information and evidence about attack vectors and threat agents, to deploy risk early warning indicators (REWI) to define security analytics and help align security metrics and analytics.

It should also work with the wider cyber community for the purpose of better protecting the organisation and contributing to the wider preparedness of the business community to cyberthreats.

It is clear that cybersecurity will continue to form a growing part of risk management and mitigation within enterprises.

Within this environment, CSIRT programmes should form a central part of cybersecurity measures, helping companies equip themselves to safeguard data and information, in order to protect stakeholders and assets and maintain the ability of organisations to perform.