BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

1 in 3 businesses have no incident response plan

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 18 Mar 2014 19:24:19 -0600
http://www.scmagazineuk.com/1-in-3-businesses-have-no-incident-response-plan/article/338644/

Arbor Networks today announced the results of its survey on incident
response, which was carried out by The Economist Intelligence Unit. The
firm surveyed 360 senior business leaders, with 73 percent of these being
C-level management or board members from various countries across the
world. Approximately 31 percent were based in North America with 36 percent
and 29 percent coming from Europe and Asia Pacific respectively.

The most alarming statistics from the study were that despite 77 percent of
companies confessing to having suffered from some kind of data loss
incident in the last two years, over a third (38 percent) of firms still
had no incident response plans in place. More worryingly still, just 17
percent of global businesses involved in the study said that they were
fully prepared for an 'online security incident'. However, the study
revealed that these companies were typically relying on the IT department
and external resources - like IT forensic experts - hinting that there is a
possible disconnect with C-level.

James Chambers, senior editor at The Economist Intelligence Unit, said that
the study results were positive but warned that incident response needs to
take higher priority.

"There is an encouraging trend towards formalising corporate incident
response preparations. But with the source and impact of threats becoming
harder to predict, executives should make sure that incident response
becomes an organisational reflex rather than just a plan pulled down off
the shelf," said Chambers in a prepared statement.

Phil Cracknell, head of security and privacy services at Company 85 and
former CISO at TNT Express, Yell Group and Nomura International, told
SCMagazineUK.com that the results were indicative of 'it won't happen to
me' attitude.

"It's a belief that it will never happen to them, and because here in the
UK you don't see too many execs dragged in front of the press to explain
what went wrong; if we did maybe we would see more encouraging figures of
readiness," he told SCMagazineUK via email.

BH Consulting founder and analyst Brian Honan, meanwhile, warned that these
problems would continue to arise so long as information security - and
incident response - was treated as an IT issue with little effect on
business operations.

This problem, he said, is exacerbated by the fact that some boardrooms may
not take too kindly to being asked for additional money on top of the spend
already issued for protecting the company's computer systems.

"It's quite common for us to come across companies that have no or
inadequate incident response plans," Honan told SCMagazineUK.com in a
telephone briefing. "It's a big challenge getting big organisations to
invest in incident response - and it's challenging for CISOs. They've got
to get the companies to spend on the security to protect the business, and
they also need money in case the investments don't work. It can be a hard
sell."

Honan agreed that a disconnect with the C-level, and an 'it won't happen to
us' philosophy can be obstacles in developing adequate incident response
plans, and added that there is also an assumption that this is a "techies
only" issue. Instead, he says that incident response should also include
legal, PR and even HR departments - if an insider is to blame.

Cracknell, like Honan, did have words for encouragement for companies and
said that companies need to first go through a data breach to understand
how to respond, and formulate their plan.

"Retain experts, have a plan, run a workshop to ask all those awkward
questions of the board that you would need in order to make decisions in
during a crisis," he said via email. "Create a series of web holding pages
announcing you know an incident occurred, you are sorry for any
inconvenience and the matter is being looked into.

"No news and poor communications will make any incident even worse...You can
come out of a crisis and gain credibility if you handle it well."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: