When an organization’s revenue, customer trust, and reputation are at stake, it is vital to be able to quickly and definitively respond to cyber security threats and incidents. Regardless of whether an information security breach is major or minor, your business needs to have an incident response team ready to mitigate the damage of becoming a victim of the latest cyber-attack.
Companies deploy cyber security solutions and services to protect sensitive information and prevent data leaks. Cyber-attacks or malware are usually blamed for data breaches, but common causes of cyber threats include insider leaks, identity theft, misconfiguration, and human error.
Having a well-prepared and planned incident response plan with the right people to implement is one of the most important things your business can do.
What is a data breach?
A data breach is defined by the U.S. Department of Justice as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, access for an unauthorized purpose, or other unauthorized access, to data, whether physical or electronic.”
Commonly, data breaches involve sensitive data such as financial information, details of bank accounts or credit cards, as well as health information, social security numbers, phone numbers, and email addresses. Data breaches have an average cost of nearly $4 million globally, and these costs include recovery, mitigation, as well as legal and regulatory costs. Today, regulations and laws such as HIPAA, PCI-DSS, GDPR, CCPA, and FIPA have guidelines for organizations handling certain types of sensitive information, which if not met can lead to severe consequences and fines.
What is an incident response team?
The group of people who will prepare for and respond to any data breaches and security incidents is called an incident response team. They will develop a proactive response plan and provide support for all incident handling processes. The incident response team members need to have designated and clearly defined roles and responsibilities, to be effective and efficient.
To set up an incident response team, your organization can choose three different options:
- Internal employees: conduct all incident response activities within the company without any guidance from third parties
- Partial outsourcing: certain elements of the incident response are outsourced to third parties
- Full outsourcing: all elements of the incident response are outsourced to external parties.
How your organization makes the decision to keep incident response internal or outsourced will depend on whether you have the right people internally to take on the roles and responsibilities necessary.
Roles and responsibilities of an incident response team
The incident response team needs to be properly resourced, carefully planned, and adequately trained before it goes into operation. If the right people are present when a security incident occurs, the incident response team will be able to respond and act in accordance with the corporate culture and values.
Incident manager
An incident manager has the overall responsibility and authority during an incident. They coordinate and direct all aspects of the incident response effort, keeping the incident response team focused on minimizing damage and recovering quickly, by driving and coordinating all team activities.
Information security team leader
Typically, the tech lead role falls to a senior technical responder. They analyze all the evidence, determine the cause of the problem, lead the technical team during the incident, and orchestrate rapid system and service restoration. The information security team leader will develop ideas about what damage has occurred and why, outline what changes should be made, and work closely with the incident manager.
Communications lead
A serious data breach can have a profound negative effect on the company's reputation and customer or stakeholder trust. It is important to have assistance with public relations and handling the public response to a data breach incident. The person in this position leads the company's messaging and communications efforts with all audiences, both internal and external. They will work with other members of the team to determine what company communications, both internal and external, are needed, including social media, company websites, and media.
Documentation leader
An efficient incident response process requires detailed documentation and appropriate evidence gathering to ensure a timely and effective response, to inform future incident response plans, and to ensure any regulatory reporting is completed.
For example, any organization that deals with the personal data of European Union residents must comply with the General Data Protection Regulation (GDPR) requirements, which is that companies are required to report a breach under certain circumstances. This reporting requires detailed documentation of the nature of the breach, likely consequences, and measures taken or proposed to address the breach.
The documentation lead will record all team activities, particularly investigation, discovery, and recovery tasks, and create a reliable timeline for each phase of the incident. In addition, this approach avoids slowing down recovery after a breach by being precise.
Legal team
The legal team may be a combination of internal legal and external legal parties. The legal team should provide counsel about legal issues and legal requirements related to data security, including who must be notified of a breach, which is one of the most significant and immediate legal considerations. This is a complex legal issue. If mandatory notification is required, the legal team will advise on who should be notified, what the notification should say, and so on.
Human resources
A company's workforce must be informed and prepared to handle cyber incidents, and this must be communicated in a reassuring and straightforward manner. Employees should be aware of the incident, and they should know what their part is in handling it. The message should include the relevant facts to keep employees informed and allow them to respond.
Data breach response
Companies who go through a data breach are more likely to have their incident response team recommend ways to invest in more robust preventative measures in the future The ThreatAdvice Breach Prevention Platform is a comprehensive cyber security tool that gives you oversight over all your organization’s security needs and ensures the right solutions are in place so the likelihood of a data breach is significantly reduced. Talk to the team at ThreatAdvice today about investing in your business's future security.
