Asked about their number one focus in the first 24 hours after a security incident, nearly two-thirds (64 per cent) of respondents say mitigating the threat is the main priority, while 36 per cent say it is about identifying the cause. David Gray, Senior Manager and Incident Response Practice Lead EMEA at NTT Security, believes that although there is much greater security awareness from top to bottom within organisations, there is a clear lack of preparation and planning when it comes to incidents, despite the potential impact.
“There is still an element of ‘head in the sand’, where organisations simply don’t think it is going to happen to them, despite everything we are seeing in the news. Our global Risk:Value report* last year backs this up, with less than half (49 per cent) of respondents admitting they have implemented an incident response plan. While most say they communicate their plans internally, it’s still only a minority who are fully aware of them. These figures have barely changed year on year and suggest that incident response planning is still not a priority.”
The NTT Security poll, which was conducted over Twitter and generated around 5,500 responses, points to a lack of resources that many organisations are struggling with today as a possible explanation for this. Lack of skills in-house is what worries the majority of companies (59 per cent) when responding to a cybersecurity incident or breach, while 41 per cent worry about lack of budget.
David Gray adds: “The worry is that even if organisations do have an incident response plan in place they simply do not have the resources to execute it, losing valuable hours or even days identifying the right skills and setting up the necessary SLAs and contracts. This is precious time wasted. Even the most mature security teams are forced into a reactive stance when something happens. Those first 24 hours are crucial in minimising the impact and cost of an incident and protecting valuable data, so they need to make them count!”
Steps to take in the first 24 hours of a security incident
NTT Security recommends adopting a triage process in the first 24 hours of a security incident to provide a head start in remediation and post-incident investigation. These steps provide a starting point to this process: