Efficiently dealing with an incident or crisis weighs heavily on three main factors; preparation, process and the tools you have to hand. The latter can greatly influence your incident management process and a cyber incident management platform should make the implementation of your incident response quick and easy rather than hinder it.
Your incident management platform should be the ‘go to’ for all staff involved to easily initiate the response process, allocate actions and track activity; providing visibility and ensuring all vital data is easily accessible in one place.
Cyber security incidents happen on a daily basis, preparation is vital for phishing attacks, insider threats, denial of service disruptions, malware and ransomware, to name but a few. Your IT team or Security Operations Centre (SOC) should have a pre-prepared plan and process to deal with these types of cyber-attacks.
But how easy is it for teams or staff to follow the processes? How easy is it for the relevant incident responders to access files and evidence? How securely is it saved?
These incident response strategies are often IT oriented, but an incident can often require the input and action from beyond the IT department should an event escalate into a crisis affect the organisation as a whole.
So what’s the difference between an incident and a crisis?
A cyber security incident can generally be handled within the IT department or SOC. A crisis on the other hand would be when several or all departments within a company become involved and the organisation itself is deemed compromised.
An incident platform is for life not just for cyber!
There are many scenarios and areas of business where an incident platform can be used; from an internal fraudulent case in the finance department, to inappropriate behaviour of a staff member report in the HR department, to physical building security monitoring by the company’s onsite security department.
An effective incident platform should be flexible enough to use throughout all different departments within an organisation and adaptable to incorporate their individual processes as necessary, without compromising security and confidentiality within each department.
No matter how prepared a business is, incidents will ultimately happen. Therefore, incident response preparation is there to actually reduce the severity of incidents and minimise their impact rather than prevent them. This can only be done with a robust plan in place.
So before considering a tool to help manage incidents, consider your incident / crisis management plan! Do you have one? Map out a clear incident response plan for your department and essentially for your business.
It is critical to have a well-defined plan that includes your incident processes. You need to figure out what your needs are; what are the biggest threats to your organisation, where do they come from, and subsequently what is your plan of action in response to each? Listing your most common use cases to identify your needs, and clarifying areas where you already have appropriate tooling to support you, will help determine which incident management solutions will be the most useful to ‘fill in the gaps’ and where it can effectively help your processes to run more smoothly. At this stage it is also vital to understand how tools need to be connected to each other and how easily a platform can integrate with what you have already.
Also consider who might need to be involved if an incident does turn into a crisis! Have you considered how other departments might need to be involved and integrate should the situation escalate? Asset freezing by the finance department, PR communications by marketing department, are just a couple of examples where other departments may need to get involved.
A strategically planned crisis management process will allow a business to quickly respond together in unison rather than in erratic silos.
Theory test before practical
Preparation before test-driving any platform must include planning and testing your crisis response, as here you will be able identify key features that will enhance your response time and mitigation process.
It will also identify those key stakeholders who will need to be involved and who will need to be bought-in to both your process and ultimately the incident management tool that you use.
Having an incident response plan
By having an incident response management and crisis management plan that is followed by your IT / SOC team and wider colleagues will ultimately deliver a unified effective technical and business response to a cyber incident or business crisis.
So, how do you choose the right incident management tools for your organisation?
There is no single, one-size-fits-all tool for incident management, but once you understand your incident response requirements you should be able to identify what you need from a platform to fill any gaps, integrate existing tools and be customised to suit.
Breaking this down into 2 areas, firstly you should consider the business culture and resource you already have, as mentioned in the previous sections:
- Do you have the culture, resource and processes you need to support an incident management solution?
- Have you determined your pain-points, your biggest threats and where they come from?
- Who needs to be involved, both using the platform and in the buying consideration?
Secondly, comes the features and benefits that you require and have determined aren’t already covered by existing tools and processes.
Consider features such as:
- Speed – how quickly can you set-up an incident file? How easy is it to log data?
- Layout – how easy is the layout to use? Is it straight-forward for anyone to pick up?
- Storage – What is the storage like? How quickly do files load?
- Single file – can all data, evidence, communications, reports be uploaded and brought together in one manageable place? Does the platform easily correlate data from other tools you are using?
- Communication – What kind of communications channels are there? Chat, email, task setting and notifications?
- Playbooks – can pre-planned workflows for various scenarios be uploaded in preparation for an incident? Does it have dependencies and time-deadlines functionality?
- Reporting – how easy is it to send out updates on tasks or incident status? Do you have full visibility of actions given and taken? Can you easily review the process methods and how they were followed?
- Documentation method – should you need an audit trail or evidence for compliance policies, what documentation features are there? Date/time stamped? Severity level gauge? Process adherence evidence?
- Security – what are the security controls in place? Do you require a ‘Need to know’ function for sensitive cases? How is the data stored and transmitted? Can you group multiple incidents into various cases on the one platform?
- API Integration – can the tool you’re looking at effectively connect with your existing tools and incident response workflow?
- Development – can the incident management platform grow and adapt as your security and business needs change? Can new users easily be added?
- Trial period – is there an opportunity to try before you buy? Your IT / security operations staff will need to rely on the platform every day, so can they practice with it first?
- Onboarding experience – How long will it take to get fully onboarded? What support is available?
An incident management platform should enable and support continuous operation, and not be a roadblock. To achieve this look for a tool that is compatible and complementary to what you have in place already, and ensure there is an opportunity for the platform to develop as your needs do.
Practice, Practice, Practice
‘50% of the CEOs believe that their company is not in a position to handle or respond to a hacking incident or data breach.’ – Trendscape Report 2020, FireEye.
The FireEye security report also stated that nearly 29% of organizations haven’t tested their cyber defences for a year and out of them more than half weren’t confident about whether their plans would work as per the expectations.
A ‘last but not least’ consideration for your incident response platform is how easily you can use it to train staff on?
You must keep your ‘firefighting team’ regularly trained and ready to respond at any moment. Think of any emergency response service; team members know exactly what to do and how to perform the tasks allocated to them. They practice and train for all conceivable eventualities.
To make sure your team and colleagues are aligned and aware of company plans during a cyber-attack, consider a platform where you can simulate situations and scenarios to embed processes, tasks and responsibilities through regular training.
It’s when not if!
Quick and effective incident response to a cyber-attack could make or break your company. Cyber attackers are always one step ahead of the game and therefore an effective incident response strategy is just as important as the cyber-security measures you have in place to try to prevent a breach. Ultimately the efficiency of your incident response and the tools that support it can determine how quickly, and whether, your company can fully recover.
Demonstrated effective crisis handling and communication during such an event can even result in improved stakeholder trust, restore brand reputation quicker and increase brand value in the long term.
When it comes to implementing incident response, it can often be daunting to choose the ‘right’ platform for your business. But if you start with your incident response plan and business crisis strategy; taking note of gaps and what the tools you already have in place can cover, this can be a solid way to start.
From there, you can start well-informed conversations, knowing exactly what you need from a platform that will support and enable you to easily meet your incident response and business goals. And remember, the more flexible the platform is to deal with non-cyber incidents, the more economical the tool will be, with better buy-in from stakeholders and other departments!