The ROI on IR |
Posted: August 16, 2019 |
For companies that have an Internet presence, cybersecurity incidents are inevitable. Even brick and mortar businesses have computer systems that can lead to cybersecurity incidents. How a company handles these incidents can have a major impact on the company's bottom line. Lost revenue is not the only risk. Companies which experience cybersecurity issues also face the possibility of fines and damage to their reputation. Most companies and organizations will experience a security incident involving computers or other technologies. Companies like Target, Equifax, Marriott have all had costly security breaches which exposed customer data. Many large companies have had incidents that lead to Intellectual Property (IP) loss. Government agencies have also suffered breaches. No one expects companies to prevent every cybersecurity incident, but companies are expected to detect incidents and react appropriately when incidents occur. If the incident comes to light months after the fact, the company runs the risk of losing the confidence of customers and investors. It reflects on the company even worse if the incident was discovered by outside individuals or organizations. Cybersecurity incidents tend to cost a company much more if the company does not have a solid Incident Response (IR) plan in place prior to the incident happening. Companies have gone out of business because they were not prepared to handle security incidents. An upfront investment in Incident Detection and Response capabilities can actually save a company money in the long run. Recently some insurance companies have begun selling cybersecurity insurance. While cybersecurity insurance can mitigate some of the dollar loss to a company who suffered an incident, it is not a cure-all. Having some percentage of a loss repaid by insurance does not account for money lost due to reputational damage. In fact, the insurance company can refuse to pay if the victim company was negligent in their security preparation and response. Some companies decide to keep their IR in-house, usually by building out a Computer Security Incident Response Team (CSIRT). Other companies outsource this function either completely or partially. In either case, the company must budget for this service and test the service to make sure it is adequate. These are not the only cost, though. Both detections of incidents and response to incidents are critical components in any cybersecurity plans, but without appropriate data, there is not much an in-house CSIRT or an outsource Managed Security Service Provider (MSSP) can do. In order to do adequate Incident Response, tools have to be in place to collect data the IR team will need. System logs, authentication logs, security product logs, and network logs need to be available for both detection and response. There should be a tool to allow the IR team to correlate events across multiple sources and keep data for an appropriate amount of time. There are a number of log aggregation products available to fit the correlation and retention needs. To gain additional visibility, a company could deploy tools such as web proxy logs, mail logs, application logs and database logs. With more and more web traffic being encrypted, an organization may want to consider an SSL decryption product to get visibility into this traffic to detect both intrusions and data exfiltration. It is becoming more common for attackers to leverage network traffic encryption to hide their activities. An SSL decryption device allows a CSIRT team to inspect the traffic which would be hidden from them. Determining which tools and technologies need to be deployed can be driven from the CSIRT or MSSP side, but business executives and leaders have to provide both input and budget. There may be auditing and/or legal requirements that need to be met. Many teams may ultimately be involved in defining what needs to be monitored and how to monitor. Implementing a Cybersecurity strategy is not cheap but consider the possible consequences of not implementing a strong IR plan. It has been reported that 60 percent of small businesses go out of business after a Cyber Attack. Large companies can drop from market leaders to lower tier players if their IP is stolen. Share prices of publicly traded companies can take a huge hit when breaches become public. A country's military forces can be severely impacted by cyber-attacks. Potential damages from cyber-attacks can be huge and far-reaching. IR can help to limit the damage.
|
||||||||||||||
|