Making the case

In today's digital age, it is essential for businesses and organizations to have an incident management capability in place to protect against potential incidents that could disrupt operations, compromise sensitive information, and harm the reputation of the business.

One of the greatest risks a business can face, aside from a cyber attack itself, is not having the people and processes in place to contain and mitigate the impact of an attack. When a business lacks an incident management capability, it can be caught off guard and unprepared to respond to an incident. This can result in a delay in recognizing and addressing the issue, allowing the incident to cause more damage than necessary.

For example, a delay in responding to a cyber attack can result in the attacker gaining access to additional systems or data, or in the spread of malware to other systems. This can lead to a greater impact on operations and a higher cost to the business in terms of lost productivity, lost revenue, and potential fines or legal costs.

Having an incident management capability in place, on the other hand, allows a business to respond quickly and effectively to an incident, minimizing the impact and containing the damage. This includes having expert staff who are trained to recognize and address incidents, as well as clear processes for communication and coordination with relevant parties, such as customers, regulators, and law enforcement.

The impact and cost of major cybersecurity incidents can be significant. For example, the 2017 WannaCry ransomware attack affected over 200,000 computers in 150 countries, leading to widespread disruption and costing businesses billions of dollars [1]. The 2014 Sony Pictures hack resulted in the release of sensitive corporate and employee information, as well as the cancellation of several film releases, resulting in significant financial losses for the company.[2]

Other major cyber security incidents include the 2018 Marriott data breach, which exposed the personal information of over 500 million customers [3], and the 2013 Target data breach, which affected over 40 million credit and debit card accounts and resulted in significant financial losses for the company.[4]

These examples demonstrate the importance of having an incident management capability in place to prevent and mitigate the impact of cyber attacks. By being prepared and having processes in place to respond to incidents, businesses can protect their operations, reputation, and compliance with regulations.

In addition to having an incident management capability in place, it is also important for businesses to implement strong security measures, such as proper passwords and authentication protocols, regularly updating software and security systems, and educating employees on best practices for internet safety. This can help to prevent incidents from occurring in the first place and ensure the safety and security of a business's operations and data.

What exactly does incident management mean?

Incident management is the process of recognizing, responding to, and managing incidents that can disrupt a business's operations, compromise sensitive information, or harm the reputation of the organization. Incidents can include a wide range of events, such as cyber-attacks, natural disasters, power outages, equipment failures, or data breaches. The goal of incident management is to minimize the impact of an incident and restore normal operations as quickly as possible.

The National Institute of Standards and Technology (NIST) has developed a framework for incident management and response known as the NIST Cybersecurity Framework (CSF). The NIST CSF is a voluntary framework that provides guidance for managing cybersecurity risks and improving cybersecurity outcomes.

The NIST CSF consists of five core functions:

1. Identify: This function involves identifying and managing cybersecurity risks by understanding the organization's assets, the threats they face, and the vulnerabilities that could be exploited.

2. Protect: This function involves implementing safeguards to prevent, detect, and respond to cyber threats. This can include implementing security controls, conducting risk assessments, and developing incident response plans.

3. Detect: This function involves continuously monitoring systems and networks for signs of a potential incident, such as unusual activity or system failures. It also involves establishing procedures for reporting potential incidents and escalating them to the appropriate personnel.

4. Respond: This function involves activating the incident response plan and taking steps to address and resolve the incident. This may involve isolating affected systems, coordinating with law enforcement or regulatory bodies, and communicating with stakeholders.

5. Recover: This function involves restoring affected systems and returning to normal operations as quickly as possible. It also involves reviewing the incident and identifying lessons learned to improve the organization's cybersecurity posture.

Creating an incident management capability

Creating an incident management capability at a business or organization is an important step in protecting against the risks and challenges of today's digital world. An incident management capability allows a business to recognize and respond to incidents in a timely and effective manner, minimizing the impact and restoring normal operations as quickly as possible.

Here are some steps for creating an incident management capability at a business or organization:

1. Define the scope of the incident management capability: Identify the types of incidents that the organization is most likely to face, such as cyber attacks, natural disasters, power outages, equipment failures, or data breaches. This will help to guide the development of the incident management plan and the selection of appropriate personnel for the incident management team.

2. Develop an incident management plan: A well-developed incident management plan should outline the procedures for recognizing and responding to incidents, as well as the roles and responsibilities of incident management team members. The plan should also include procedures for communication and coordination with relevant parties, such as customers, regulators, and law enforcement.

3. Establish an incident management team: An incident management team should include key personnel from different areas of the organization, such as IT, HR, and legal. The team should be trained on the incident management plan and have the necessary skills and knowledge to recognize and respond to incidents.

4. Implement detection and response measures: To effectively detect and respond to incidents, the organization should implement measures such as monitoring systems and networks for signs of an incident, establishing procedures for reporting potential incidents, and activating the incident management plan when necessary.

5. Test and review the incident management capability: It is important to regularly test and review the incident management capability to ensure that it is effective and efficient. This can involve conducting simulated incidents and exercises, as well as reviewing the incident management plan and making any necessary updates.

[1] Cyber attack hits 200,000 in at least 150 countries: Europol | Reuters
[2] Sony Pictures hack: the whole story | Engadget
[3] Marriott discloses massive data breach affecting up to 500 million guests - The Washington Post
[4] Target cyber breach hits 40 million payment cards at holiday peak | Reuters