Strategizing Incident Response
When asked to compare the issues of incident response with another activity, strategy games immediately come to mind. Strategy games are some of the most popular forms of entertainment that have endured through the decades. They test our ability to multitask and handle our resources during a stressful situation. However, the real-world equivalent of these strategic puzzles is far less entertaining.
Incident response might seem like an issue reserved for multi-million-dollar companies—the type of company equipped with a team of security professionals working day and night—but the reality is less glamorous. The truth is incidents happen all the time to companies of all sizes. Chances are your company has had a cybersecurity data breach within the last year. As technology continues to revolutionize business, companies are becoming more dependent on it. However, without proper security oversight, that same technology can cripple the organization.
In order to safely navigate an incident and prevent any accidental mistakes, it is important to establish an incident response plan. This incident response plan is what the company and key personnel will use as a strategy. First and foremost, the strategy should outline what defines an incident. This will be different for every company, as the key areas of interest will be unique for every business.
Next, and what we will be outlining here, are the key personnel to be alerted when an incident is identified. This is the incident response team. Each person will have a key role to play in keeping everything organized and under control during the data breach. It can seem daunting to determine who to let into that private circle of trust in such a tense situation, so to break it down, think about it like a strategy game. In terms of strategy, each member of this team has a specific role in getting the company through the incident response. We have outlined 5 key roles below, but larger incidents could require more complex combinations of skills. However, the following setup is the backbone for any incident response plan, no matter the size.
When dealing with an incident response plan, the majority of duties tend to fall on a single IT professional. This professional might be tasked with multiple jobs at a time, including setting up the companies’ network security posture and responding to technical issues. All of these tasks will revolve around mitigating the data breach, and the pressure takes time away from monitoring the network.
In strategy games, this vital role is referred to as the paladin. The dictionary definition describes it as a champion of a cause. When it comes to incident response, IT professionals are truly the champion of the company’s security. When an end-user finds a potential cybersecurity threat, the IT professional should confirm based on the incident response plan.
Mishandling of information during a data breach or cybersecurity incident response is a big problem for many companies. A vital aspect of being a paladin during incident response is knowing restraint; it is important to understand when to take the hands off the keyboard and leave tasks to other parties. Failure to do so could leave the company responsible and liable for intentional or unintentional spoliation of data.
After several cybersecurity incidents, you will eventually need to seek assistance from a third-party forensic team. The forensic team is the wizard of the group, providing expertise, tools, and resources the company might not have available. There are a few reasons the company may not have the resources to complete its own incident response examination: either because they have never experienced an incident response, or because the company is unable to afford the extensive tools necessary to perform an incident response. It could also be due to the simple fact that some businesses need to have an impartial party review or conduct a report for insurance reasons. Determining a third-party forensic team is vital, as they will be directly communicating with other key members of your company.
The Internal Lead
During an incident response, it important to have someone in charge that will control the dissemination of information throughout the company. This role is typically filled by either the Chief Security Officer or head of Public Relations. They are the gatekeepers of information regarding an incident. Additionally, they will report the results of any examination findings to the rest of the company.
This role can be considered the cleric—the pinnacle of support for the rest of the party. Through the investigation, members of the incident response team will defer to this internal lead for guidance and authority. Ideally, this person should have some technological experience or insight into the company’s technical make-up, even at a high level. Additionally, they should rank high enough to deter suspicion on delegating orders or taking possession of devices.
The Legal Representative
A key aspect of incident response is dealing with the public and private perception of the company and ensuring that there are no legal repercussions once the incident is resolved. This is dealt with by the company attorney or legal representative.
This legal representative is the bard—a support class. In the context of the strategy game, the bard provides positive buffs to their own team and negative debuffs to the opposing team. In an incident response context, they organize a plan based on the information to best help the company. Similarly, they will give valuable insight to the incident response team into some of the legal nuances of incident response, such as when the time is right to reveal their cards and when it is the appropriate time to call the investigation to a close. This role is especially critical if your company is dealing with any amount of protected information beholden to regulatory bodies.
As you can see, each member of a cybersecurity incident response team has a very specific role to play. There can be any number of people filling these roles to meet the needs of the incident response plan. Going through any incident without a complete team could end up costing more money and bringing confusion and unnecessary stress to an already precarious security situation.
Read more about preparing for incident response in our recent insight, and learn how to follow through on an incident without issue. Dealing with a cybersecurity breach can be simplified; let us help you prepare for the inevitable. Contact an Eide Bailly professional today to discuss more ways to prepare and protect your company through incident response.
Take a deeper dive into this Insight’s subject matter.Cybersecurity