How do we deal with Security Incidents?
A security incident can be a rough experience for any organisation, especially one that is not prepared.
What is a Security Incident? To some extent, it is an event that has occurred that perhaps should not have and perhaps has caused business interruption, data loss or compromise. Sometimes an organisation knows they have suffered an incident, sometimes they are oblivious and remain in the dark for years.
The seriousness of an incident can only really be determined through detailed analysis and assessing the risks relating to the findings, i.e. what has been exposed, exfiltrated, accessed, modified or deleted. This is what we refer to as Incident Response.
What's involved? To begin with, it is incumbent on the Incident Responder to identify, collect and preserve all relevant data sources. If relevant data sources are not identified and collected early in the Incident Response engagement, gaps in the incident analysis will occur. Noting too, some relevant data sources may naturally get overwritten, therefore, it pays to have experts available to assist from the earliest opportunity.
There is a perception that Incident Response is expensive, and to some extent that is true. The age-old saying “prevention is better than cure” is somewhat accurate in this sentiment. To undertake Digital Forensic and Incident Response (DFIR) activities to piece together what happened, to provide a level of assurance that the incident has been managed and risks mitigated and generally report on the entire process takes time. Furthermore, there’s the less visible costs to take into account: stress, business disruption, intellectual property theft and the kicker - reputational damage. In some situations, the financial, regulatory and legal burdens that may arise due to a Security Incident may be covered under Cyber Insurance (with limits and excesses to consider).
The other aspect to consider is that DFIR experts are in short supply. A report1 by (IC2)2 suggests globally there is a shortage of Security Professionals (~4 million), within the APAC region around 2.3 million. Our rates are fair and reasonable, we do not capitalise on this shortage nor do we compromise on our quality.
The key out-take here is, don’t leave it until it’s too late. When you consider the cost involved to go through an incident response process, the potential broader costs incurred by the attack itself, the reputational damage and the business disruption, we believe prevention definitely is better than cure. Give us a call today to discuss an independent review of your current security posture.
Written by Ian Donovan, Technical Director Digital Forensics and Incident Response