This year, companies will spend more than $8 trillion on loss control costs – and poor risk management will result in significant financial losses. Unfortunately, given the challenges facing the current online ecosystem, traditional approaches around policy development and awareness-building that are at the heart of collaboration can fall apart if they don't work together.
In this article, we'll take a look at the top considerations for enabling collaboration in a cybersecurity incident, the nuances of good collaboration, and the benefits to your organization.
While the need for collaboration in cybersecurity incidents is clear, the means and methods used to achieve collaboration often require a clearer, standardized approach that needs to be underpinned by a comprehensive strategy based on a few key decisions. These decisions must take into account three characteristics of the complexity of each cybersecurity incident investigation.
1.Second- or third-order impact of a cybersecurity incidentThe impact of a cybersecurity incident extends beyond the initial breach. Think of the myriad of data records exposed, or the loss of productivity for days or weeks, or the loss of business and reputation that impacts revenue and ***. These are the second- and third-order effects of a cybersecurity attack on a large organization, sometimes more catastrophic than the initial incident itself.
Processes designed to respond to any incident should be equally focused on the impact of the second order and beyond, not just plugging loopholes. In addition to the core process workflows and protocols that are in place for robust incident management, work should be done during this planning phase.
2.Dynamic attack surfaceIncidents due to network misconfigurations or malware intrusion into computers occur from time to time, and social engineering techniques further increase the likelihood of such attacks. As a result, an organization is often attacked from outside or internally, affecting any function or business unit. Therefore, the key stakeholders involved in incident management should represent a cross-functional hierarchy in the organizational structure, rather than siloed teams with only cybersecurity investigation skills.
3.Risks of adopting technologyAs part of a user's day-to-day workflow, a security incident is always the result of interaction between the system and the user. In some cases, like email, since everyone has an email address, the scope of the threat applies to the entire organization. Organizations must be cautious when choosing cybersecurity tools and technologies to ensure that another front is not opened for threats. It's best to focus on leveraging technology to automate processes that speed up incident management chores and provide valuable insights to stay ahead of threats.
The key decisions of collaboration revolve around establishing efficient processes and protocols, selecting the right stakeholders, and choosing the right tools and techniques to thwart incidents and quickly defend against potential threats. When a cybersecurity incident is discovered, teams typically split into teams, starting with first responders and then domain-specific response teams that deal with the impact on organizational assets, customers, and other areas. The collaboration between these teams is divided into four phases.
Phase 1: ControlAt this point, the team's primary goal is to contain the damage caused by the incident. This requires an initial assessment by the first response team to determine the cause, severity and extent of the incident. Based on the initial assessment report, notify the professional response team and begin examining areas of the organization (such as IT, operations, legal, and compliance) to determine the extent of the attack, the systems and data affected, and the potential impact on the organization. These teams are also responsible for raising staff awareness of the incident and enlisting the help of volunteers in the subsequent phases.
Stage 2: ConcealmentThe covert phase is characterized by the sharing of specific information between response teams. It is the foundation of an incident response plan designed to identify the root cause and collect relevant data to understand the spread. Depending on the incident response plan, teams must mobilize resources to hide the attack surface by shutting down affected systems, isolating compromised assets, and implementing mitigation measures.
Stage 3: InterpretationBy now, you may have taken enough steps to prevent the incident from causing further damage. In the ideation phase, a thorough investigation is carried out to decipher the entire chain of events and their first, second, and subsequent effects. The ultimate goal is to develop and execute an incident remediation plan, which may include restoring systems from backups, patching vulnerabilities, or implementing other security measures.
Phase 4: ConquestAfter the incident was remediated, the work was not over. The response team will come together for a post-incident review and assess the response process to mitigate any further impact. The most important thing is to learn from mistakes at this stage and prevent similar incidents in the future. This includes conducting audits and updating existing processes and protocols based on lessons learned from this particular incident.
While the importance of collaboration in handling cybersecurity incidents is undeniable, it takes some effort to incorporate this culture into the organization's DNA. Some best practices can help ensure that the collaboration continues and runs smoothly.
One of the strategies is to keep a log of events. It can be used as a blueprint for simulated incident collaboration in cybersecurity incident response exercises. Such exercises can also be organized in conjunction with data obtained from threat intelligence platforms to facilitate collaboration when identifying potential threats.
Finally, collaboration must be made a pan-organizational responsibility, through regular incident handling training for employees to keep them up-to-date on organizational processes. This will allow them to respond quickly and effectively in times of crisis, minimizing the burden on incident response teams.