One-quarter of IT security decision-makers reported at least one breach of their company’s sensitive information in the past 12 months, according to new research from Forrester.
Drawing from a recent survey of over 2,300 IT executives located in Canada, France, Germany, the UK, and the US, the report noted that 21% of respondents did not feel comfortable answering that question – although their responses were anonymous – a testament to how sensitive enterprises have become to the potential economic impact and damage to corporate reputation of a publicized security breach.
“People should expect to be breached. It’s not a matter of when. For a lot of organizations, it’s probably already happened”, said Rick Holland, a Forrester analyst and one of the authors of the report.
The bottom line is organizations need to plan for failure, the report noted. However, even among those enterprises that have already suffered a breach during the past year, only 18% increased spending on their incidence response program as a result. Perhaps even more surprisingly, many companies did nothing at all as the result of their breach.
To prevent the damage that a mishandled data breach can cause, Forrester recommends that companies establish an incident management plan before the data breach happens.
“The sooner a company can identify a breach, the less remediation they have to do”, Holland told Infosecurity.
Companies need to have a incident management plan in place just like they have a business continuity and disaster recovery plan in place, Holland said. “Organizations that don’t have an incident management plan and don’t successfully execute the plan are putting themselves at great risk”, he added.
The report recommends the use of the National Institute of Standards and Technology Computer Security Incident Handling Guide as a framework for developing a plan. The guide breaks down incident response into four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
In addition, testing of the plan is “critical to success”, the report said. “To truly understand your incident management capabilities you must periodically test your individual incident response plans….Testing helps validate your response capabilities and questions assumptions in the plan. In addition, testing helps everyone understand the contents of the plan as well as their roles and responsibilities”, the report argued.
Holland commented: “The worst time to try and tweak a plan is when the incident is happening in real time….You want to have an annual test of the incident management plan in order to review and update it.”