There’s an interesting statistic hiding inside our Executive Guide to the NTT Security 2018 Global Threat Intelligence Report (GTIR): despite a notable jump in ransomware attacks between 2016 and 2017, the number of ransomware-related incident response engagements dropped from 22% in 2016 to 5% in 2017.

Fewer companies are reaching for outside help when they’re attacked by ransomware, despite a 350% jump in ransomware detections.Tweet this

Fewer companies are reaching for outside help when they’re attacked by ransomware, despite a 350% jump in ransomware detections.

In some cases, companies are paying the ransoms, an action we don’t advise as it encourages more attacks and doesn’t guarantee that the data will be recovered. But the real momentum behind this dramatic decline results from stronger vendor response, better detection, more effective policies and procedures, improved awareness, and maturing incident response plans.

It's when, not if

It’s a significant that companies are now improving how they handle security attacks. The message that a breach is a matter of when, not if, is finally being heard. Some businesses are no longer simply worrying about attacks; instead, they’re putting plans in place for when an attack occurs.

Yet, that message hasn’t resonated broadly enough. Many businesses are unprepared for ransomware attacks. Retail companies are targeted more often without much recourse from their side. Also, the above statistics look only at ransomware and not the other methods of attacks, like spyware and viruses.

Be prepared

There has been no notable change in cybersecurity preparedness. In the NTT Security Risk: Value Report, only 48% of respondents indicated they have an incident response plan in place today, with another 31% currently working on such plans.

On the other hand, 8% indicated that they don’t know if they have a plan and 2% had no intention to establish such a plan. In general, incident response plans must continue maturing to be as effective as possible.

How mature businesses handle security

Good incident response requires investment and continued focus. The right systems must be put in place, as well as changes to the business culture that fuels those systems. Companies that have implemented effective incident responses are typically mature enough to regard security as a business enabler. This may seem strange, until you realise that poor security will inhibit the flow of data.

Those same companies tend to put security not as a function of IT, but of risk management. It recognises that if a company wants to innovate rapidly, but doesn’t consider the impact of risk, it will jeopardise any gains made.

CISO establishes leadership authority

One sign of this is the creation of security leadership roles in the company, such as the Chief Information Security Officer (CISO). This recognises that security isn’t an IT function, but a separate function with its own responsibilities. Sometimes it comes about through compliance requirements, an apt reminder that legislation can be used as a blueprint to bring changes to security culture. Of course, that can’t be treated as mere due diligence to the law. It foremost has to be embraced by the company as a competitive necessity.

CISOs and security teams can be established internally, though companies lacking the budget for it shouldn’t feel left out. Many are investing in an outsourced capability - CISO-as-a-Service - that advises and collaborates with the company and its security strategy. This is often at the fraction of the cost of a permanent CISO.

Five steps to creating a good incident response

Once a company grasps the total reach of security across its various units and people, it can make the needed investments and appointments to build solid incident responses. The process of developing good incident response plans can be distilled into five steps:

1. Understand what the crown jewels are, where they’re located, who is responsible for it, and who is responsible for securing them.
2. Understand how the organisation would limit the scope and impact of a breach using available security resources and reduce recovery time and costs.
3. Understand the purpose and roles of individuals in the security response team.
4. Establish the communications plan and reporting requirements in the event of a breach.
5. Continuously test and adjust the incident response plan to ensure it remains resilient and effective.

The first point is often where problems can occur, as many companies still struggle with data classification and ownership problems. Ideally this conversation should start at the procurement stage of a new asset: what will the device be used for, what type of data will flow through it, what is the classification of that data, and who stands to benefit from it. Then scenarios of how the device or data could be breached should be listed and weighed by means of a threat assessment.

This sequence is important, because without a data owner not much will be accomplished. The data owner has to make the decisions on behalf of the organisation. Whoever is procuring the device needs to ensure it’s protected at the data classification level. These are rarely the same person or unit, so collaboration is essential. In the event of a breach, these same conversations will have established ways to limit the scope and impact.

Understanding the different roles also limits confusion and delays once a cybersecurity incident occurs. The people involved in an incident response may vary depending on the incident itself. Those with data ownership will often represent the business’ interests and as such might not be as constant as core security personnel. But at the same time the responsibilities cannot be that of the security people alone - that would violate the maturity levels discussed earlier.

Yet, when the chips are down, there will be no time to debate who should do what, so those mandates and channels must be clear both for swift responses and to aid the forensic investigation that will follow.

Tying to this is communication: it may not be possible or responsible to use the same network that was breached for correspondence related to the incident. In fact, adversaries have often been found intercepting and altering such communications. At the least such communications will give them visibility of the incident response actions.

Yet, when the chips are down, there will be no time to debate who should do what, so those mandates and channels must be clear both for swift responses and to aid the forensic investigation that will follow.Tweet this

Instilling vigilance as a culture

Finally, the incident responses must be continually tested and revised. Another aspect of good security is curated security intelligence. The days of companies only worrying about what happens inside their parameters are gone. Not only is that parameter dissolving, but much can be gleaned in the outside world about security behaviour.

In several cases breaches were only detected because the stolen data or exposed credentials appeared in the wild. Companies with access to intelligence services also learn about new attack methods and can proactively adjust their security systems and response plans to match the emerging tactics of adversaries. It’s incredibly fruitful and cost-effective to partner with third-party security intelligence providers that specialise in collecting cyber-crime information.

Continually revisiting and revising incident response plans reinforces such a vigilant culture. This makes it harder to be breached and establishes resilience in the face of adversity.

Incident response can be compared to a fire extinguisher; in the event of a fire, it’s always good to put it out as fast as possible without waiting for the fire brigade. Tweet this

Incident response can be compared to a fire extinguisher; in the event of a fire, it’s always good to put it out as fast as possible without waiting for the fire brigade . But then you need to know where the extinguisher is, how to use it, and if it’s in working condition. You could place extinguishers everywhere, but that won’t be cost effective - plus everyone might keep tripping over them. Yet if you apply your mind to where fires are likely, and who is best positioned to respond, you can strike a neat balance between prevention and functionality.