The cybersecurity incident response team: the new vital business team

(Image credit: Image Credit: BeeBright / Shutterstock)

We live and do business in a world fraught with cyber risks. Every day, companies and consumers are targeted with attacks of varying sophistication, and it has become increasingly apparent that everyone is considered fair game. Organisations of all sizes and industries are falling victim, and the cyber risk is quickly becoming one of the most prevalent threats.

When disruptions do occur from cyberattacks or other data incidents they not only have a direct financial impact, but an ongoing effect on reputation. For example, Carphone Warehouse fell victim to a cyberattack in 2015, which resulted in the compromising of data belonging to more than three million customers and 1,000 employees. While it suffered financial losses from the remedial costs, which included a £400,000 fine from the Information Commissioner’s Office (ICO), it also led to consumers questioning whether their data was truly secure with the retailer and if it was simply safer to shop elsewhere. That loss in consumer confidence is incredibly difficult to claw back, particularly at a time when grievances can be aired on social media and be shared hundreds or thousands of times.

To pile on further scrutiny, in June 2018, its parent company – Dixons Carphone – revealed that it had been the victim of a cyberattack which had begun in July 2017. Hackers accessed 5.9 million bank cards and 1.2 million personal data records, with the attack deemed serious enough to instigate an investigation from GCHQ. While Dixons Carphone stated that the incident was unrelated to the one from 2015, the brands are so closely aligned that Carphone Warehouse was once again associated with a huge breach.

Businesses are judged on their response to incidents

Preventing cyberattacks is more difficult with the evolving sophistication of attacks outpacing the technology used to defend against them. Furthermore, businesses are now being judged – by consumers and regulators – on how they respond. How quickly they notify relevant stakeholders, the information and advice provided, as well as how efficiently they can plug the gap all have an effect on the level of financial fallout and backlash faced. These factors point to the compelling need for firms to have a proactive Cyber-Security Incident Response Team (CSIRT) in place.

Organised from experts from across the enterprise, it will be well drilled through extensive and regular testing and planning, enabling it to immediately action the suitable response to incidents of increasing sophistication and complexity.

Another benefit of such a team is that the proactive regular testing enables businesses to identify any existing vulnerabilities so that they can be plugged before they are maliciously exploited. As companies grow and evolve, networks and processes shift so testing needs to be an ongoing effort to ensure cyber resilience remains high.

Getting the CSIRT up and running

There are some important considerations to be made before starting a programme. These include operational and technical issues – such as securing the necessary equipment – as well as determining the resources and funding needed for newly formed teams. Firms must also ensure that existing teams are not left shorthanded and are still able to carry out their responsibilities.

As with any team, the effectiveness of the CSIRT is greatly increased when it has a defined objective. When everyone within the team is clear on their role, it’s easier for them to pull in the same direction. Teams should be structured in a way that gives every member responsibility and accountability, but also defines who has the final say.

During the planning phases it’s also essential to remove any areas of duplication. Re-doing activities and processes is a waste of resources and simply delays the time taken to reach the desired outcome. Companies can identify where overlaps and gaps exist by carrying out analysis on their current cyber response programmes. This will also bring to light the firm’s current incident response capabilities, the effectiveness of existing alert sources, as well as determining any restrictions.  

Selecting the most effective team

Ideally, the CSIRT should consist of staff from across the enterprise to ensure there’s a good spread of expertise and that the requirements of all relevant stakeholders can be met.

A vital component should be a business manager. They operate on the frontline of the business and are accountable for managing a company's activities and employees. Should an incident be so severe that critical systems need to be shut down to mitigate further damage, having a business manager on board will help the company to determine the impact of downtime.

Technical knowledge should be provided by a representative of the IT team. It’s important that clear guidelines are set on how IT staff and the CSIRT should interact, and the actions to be taken by each during response operations. If the CSIRT requires access to network and systems logs for analysis purposes then the level of access and visibility should be clarified.

The aftermath of any data loss incident may result in legal proceedings, therefore, it’s vital that a member of the legal team is present to determine liability. With their expertise, they will also be essential for securing the firm by reviewing non-disclosure agreements and developing appropriate wording for contacting other sites and organisations.

Other members should consist of audit and risk management specialists – as threat metrics and vulnerability assessments will play a key role in planning the strategy – as well as a representative from human resources and public relations. The former will help in developing job descriptions to hire CSIRT staff and drafting policies and procedures for removing internal employees found engaging in unauthorised or illegal computer activity. The latter will be responsible for tackling external communications, handling any media queries and helping to develop press statements and guidelines for information disclosure.

Ultimately, in an age where businesses falling victim to cyberattacks is a daily occurrence, it’s essential that firms have proactive incident response teams that can help to lessen the threat to reputation. Breach repercussions are ongoing and, if companies can’t move quickly to manage them, they can spiral out of control. A well prepped CSIRT that is full of expertise from across the enterprise is a powerful tool that dramatically increases cyber resilience. When incident response is slick and well planned, the company in question will be viewed more favourably by regulators and, more importantly, it will mitigate the severe drop in consumer confidence that can be fatal to other less prepared firms.

French Caldwell, Chief Evangelist, at MetricStream

Having worked with the White House, US Navy and as a diplomatic liaison to NATO, French is a leading regulations expert. Now at MetricStream, French specialises in emerging and GRC technologies.