Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies


These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Taking incident response capability up a notch

Mark Thomas

Group CTO Cybersecurity, Dimension Data

Follow on LinkedIn

Explore the latest cybersecurity developments

Discover how the latest security threats are impacting on specific regions and vertical markets.

Get the insights here

There’s an interesting statistic hiding inside our Executive Guide to the NTT Security 2018 Global Threat Intelligence Report (GTIR): despite a notable jump in ransomware attacks between 2016 and 2017, the number of ransomware-related incident response engagements dropped from 22% in 2016 to 5% in 2017.

Fewer companies are reaching for outside help when they’re attacked by ransomware, despite a 350% jump in ransomware detections.Tweet this

Fewer companies are reaching for outside help when they’re attacked by ransomware, despite a 350% jump in ransomware detections.

In some cases, companies are paying the ransoms, an action we don’t advise as it encourages more attacks and doesn’t guarantee that the data will be recovered. But the real momentum behind this dramatic decline results from stronger vendor response, better detection, more effective policies and procedures, improved awareness, and maturing incident response plans.

It's when, not if

It’s a significant that companies are now improving how they handle security attacks. The message that a breach is a matter of when, not if, is finally being heard. Some businesses are no longer simply worrying about attacks; instead, they’re putting plans in place for when an attack occurs.

Yet, that message hasn’t resonated broadly enough. Many businesses are unprepared for ransomware attacks. Retail companies are targeted more often without much recourse from their side. Also, the above statistics look only at ransomware and not the other methods of attacks, like spyware and viruses.

Be prepared

There has been no notable change in cybersecurity preparedness. In the NTT Security Risk: Value Report, only 48% of respondents indicated they have an incident response plan in place today, with another 31% currently working on such plans.

On the other hand, 8% indicated that they don’t know if they have a plan and 2% had no intention to establish such a plan. In general, incident response plans must continue maturing to be as effective as possible.

How mature businesses handle security

Good incident response requires investment and continued focus. The right systems must be put in place, as well as changes to the business culture that fuels those systems. Companies that have implemented effective incident responses are typically mature enough to regard security as a business enabler. This may seem strange, until you realise that poor security will inhibit the flow of data.

Those same companies tend to put security not as a function of IT, but of risk management. It recognises that if a company wants to innovate rapidly, but doesn’t consider the impact of risk, it will jeopardise any gains made.

CISO establishes leadership authority

One sign of this is the creation of security leadership roles in the company, such as the Chief Information Security Officer (CISO). This recognises that security isn’t an IT function, but a separate function with its own responsibilities. Sometimes it comes about through compliance requirements, an apt reminder that legislation can be used as a blueprint to bring changes to security culture. Of course, that can’t be treated as mere due diligence to the law. It foremost has to be embraced by the company as a competitive necessity.

CISOs and security teams can be established internally, though companies lacking the budget for it shouldn’t feel left out. Many are investing in an outsourced capability - CISO-as-a-Service - that advises and collaborates with the company and its security strategy. This is often at the fraction of the cost of a permanent CISO.

Five steps to creating a good incident response

Once a company grasps the total reach of security across its various units and people, it can make the needed investments and appointments to build solid incident responses. The process of developing good incident response plans can be distilled into five steps:

  1. Understand what the crown jewels are, where they’re located, who is responsible for it, and who is responsible for securing them.
  2. Understand how the organisation would limit the scope and impact of a breach using available security resources and reduce recovery time and costs.
  3. Understand the purpose and roles of individuals in the security response team.
  4. Establish the communications plan and reporting requirements in the event of a breach.
  5. Continuously test and adjust the incident response plan to ensure it remains resilient and effective.

The first point is often where problems can occur, as many companies still struggle with data classification and ownership problems. Ideally this conversation should start at the procurement stage of a new asset: what will the device be used for, what type of data will flow through it, what is the classification of that data, and who stands to benefit from it. Then scenarios of how the device or data could be breached should be listed and weighed by means of a threat assessment.

This sequence is important, because without a data owner not much will be accomplished. The data owner has to make the decisions on behalf of the organisation. Whoever is procuring the device needs to ensure it’s protected at the data classification level. These are rarely the same person or unit, so collaboration is essential. In the event of a breach, these same conversations will have established ways to limit the scope and impact.

Understanding the different roles also limits confusion and delays once a cybersecurity incident occurs. The people involved in an incident response may vary depending on the incident itself. Those with data ownership will often represent the business’ interests and as such might not be as constant as core security personnel. But at the same time the responsibilities cannot be that of the security people alone - that would violate the maturity levels discussed earlier.

Yet, when the chips are down, there will be no time to debate who should do what, so those mandates and channels must be clear both for swift responses and to aid the forensic investigation that will follow.

Tying to this is communication: it may not be possible or responsible to use the same network that was breached for correspondence related to the incident. In fact, adversaries have often been found intercepting and altering such communications. At the least such communications will give them visibility of the incident response actions.

Yet, when the chips are down, there will be no time to debate who should do what, so those mandates and channels must be clear both for swift responses and to aid the forensic investigation that will follow.Tweet this

Instilling vigilance as a culture

Finally, the incident responses must be continually tested and revised. Another aspect of good security is curated security intelligence. The days of companies only worrying about what happens inside their parameters are gone. Not only is that parameter dissolving, but much can be gleaned in the outside world about security behaviour.

In several cases breaches were only detected because the stolen data or exposed credentials appeared in the wild. Companies with access to intelligence services also learn about new attack methods and can proactively adjust their security systems and response plans to match the emerging tactics of adversaries. It’s incredibly fruitful and cost-effective to partner with third-party security intelligence providers that specialise in collecting cyber-crime information.

Continually revisiting and revising incident response plans reinforces such a vigilant culture. This makes it harder to be breached and establishes resilience in the face of adversity.

Incident response can be compared to a fire extinguisher; in the event of a fire, it’s always good to put it out as fast as possible without waiting for the fire brigade. Tweet this

Incident response can be compared to a fire extinguisher; in the event of a fire, it’s always good to put it out as fast as possible without waiting for the fire brigade . But then you need to know where the extinguisher is, how to use it, and if it’s in working condition. You could place extinguishers everywhere, but that won’t be cost effective - plus everyone might keep tripping over them. Yet if you apply your mind to where fires are likely, and who is best positioned to respond, you can strike a neat balance between prevention and functionality.

Threat intelligence alerts!

Gain insight into the latest threats that could impact your organisation. We have insight from 40% of the world's internet traffic

Subscribe here

Related content

How we can help you

Managed security services

We offer consistent services to manage and optimise your security infrastructure.

Read more

Ransomware protection

Predictive cybersecurity protection to help you prevent, detect, and contain ransomware before it’s too late.

Read more

Security advisory services

We formulate processes and policies to help ensure that your business is fully compliant.

Read more

Careers at Dimension Data

Be part of our global team of cybersecurity experts.