Why You Should Care About Incident Response
In this article
What you need when everything else fails
Earlier this year, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital's computer systems. Since then, two other hospitals in California, as well as in Kentucky and Maryland, have also been hit. What changed? That $17,000 ransom made headlines, letting other cyber criminals know that ransomware can be a realistic and profitable attack vector for the enterprise. Cyber incidents are on the rise and even the least suspected targets are vulnerable. That's why no matter how secure you may feel; you need to be prepared for action.
Preventative security controls will fail
Prevention has long been the foundation of enterprise security. Years ago, I remember working with a client who assumed that preventive controls like anti-virus and firewalls were enough to protect the organization from outside threats. Time has revealed that prevention fails on a daily basis at many organizations. According to the 2015 Cost of Cyber Crime study by the Ponemon Institute, every company surveyed was the victim of a Trojan, virus, or worm type of attack and 97 percent surveyed were reported to have been the victim of a malware attack. Contrast this with the 99 percent-plus deployment rate of anti-virus clients across the enterprise and it's self-evident that preventative controls are not effective 100 percent of the time.
Detective security controls will fail
Prevention eventually gave way to detection. We saw a surge of products that could detect incidents on the network. However, we've seen that detection also fails on a regular basis. Look no further than the Verizon Data Breach Investigations Report, which shows that most incidents are not detected internally for years (or even ever). No matter how many technical solutions are deployed, something will get past your security controls undetected. It's like the well-known concept concerning risk management. Incidents, like risk, can never be completely eliminated; you can only reduce the likelihood and it's potential impact.
Incident response is what remains when all else fails
Once an incident bypasses your preventative and detective security controls, you are left with incident response. It's not a question of whether your organization will be hacked, it's when and how badly you'll be impacted. This is what led Gartner to make the following statement:
To learn more about our security practice visit our security page. WWT can also help you gain a better understanding of where you organization stands today in responding to a data breach by requesting our Security Tabletop Exercises Workshop.