May 20 2021

RSA 2021: 4 Common Myths of Cybersecurity Incident Response Planning

Most organizations are straining to avoid data breaches, deploying extensive cybersecurity solutions, engaging in third-party security risk assessments and arming employees with routine anti-phishing education.

It’s not stopping the bad guys. The number of data breaches within organizations increased by a third in the past year, according to the Verizon Business 2021 Data Breach Investigations Report. Verizon said 85 percent of breaches involved a human element.

Yet one area where companies should be doing much more is incident response, says Gabriel Whalen, manager of CDW’s information security solutions practice.
 

“It’s not a matter of if but when an organization is going to be impacted by a criminal cyber actor,” Whalen said, speaking at RSA 2021, the digital version of one of the most important security events of the year. Small businesses are especially prone to failing to plan for the worst, he said, often assuming they are unlikely to be targeted.

“Regardless of the size of the organization, it’s a matter of being underprepared. Sure, a lot of companies might have thought about some sort of IT defense and resilience, but having a plan on a shelf that they’re able to reach to in the event of a ransomware attack was maybe not quite there. Or what would happen when we had to send all of our employees home?”'

MORE FROM BIZTECH: What is DevSecOps, and how can it work for you?

Why Businesses Don’t Plan for Data Breaches

With so many companies victimized by data loss, why aren’t more of them planning for the likelihood of an attack? Whalen said that many believe one or more of the following myths:

  • Cyberinsurance makes incident response planning unnecessary. “This one scares me,” Whalen said. Having cybersecurity or business continuity insurance is important but is not a substitute for an incident response plan, just as having homeowners insurance is no reason to let your house burn down, he said. “I have insurance too, but I still protect myself when I go out in my daily routine. Having insurance is a great strategy in your incident response, but maybe we want to think about doing a little more.”
  • Small businesses aren’t targeted for attack. Many small businesses think their low profiles make them unlikely to be victimized. In fact, their lack of preparedness makes them tempting prey for threat actors. “Attackers are like fishermen,” Whalen said. “They go where the fish are, and they use the bait that’s going to work best. So if you have a common vulnerability in your environment, they’re going to find you if they’re looking for it that day, and then they’re going to figure out how to use your organization to raise capital.”
  • A stout perimeter defense is sufficient. Most incidents involve a human actor, and that’s usually someone inside an organization’s environment, rendering traditional perimeter defenses all but useless. “It could be someone who configured things the wrong way, it could be someone who just clicked on an email,” Whalen explained. “It’s not necessarily intentional. It’s just people trying to get through their days with all the stressors that can result in security violations, and those turn into breaches.”
  • Developing an incident response plan is too expensive. The average cost of a breach is $3.86 million, according to the Ponemon Institute. And that doesn’t count the reputational cost to a breached organization. While data security carries a business cost, it’s much lower than the cost of a successful attack.

Meanwhile, some organizations have an attitude toward data breaches that can be summed up as “we’ll deal with it if it happens,” Whalen said. That’s an especially unwise approach: “Having a plan today, even the most basic elements of a plan, can secure your future and save you a lot of pain.”

CDW offers a full suite of incident response services, including formal training for the first responders in the IT department; a readiness assessment that includes a careful review of an organization’s existing incident response plan; incident response program development for those that have no plan or need an update; and a tabletop exercise workshop, which includes “actually walking through with all the stakeholders a scenario of an incident,” gaming out how different people within the organization would act based on its incident response playbook.

“If we think about the degree to which you want to protect your organization, I don’t recommend you make a meteor shield for every asset, but maybe we think a little bit further to protect ourselves in the long run,” Whalen said.

Keep this page bookmarked for articles and videos from the event, and follow us on Twitter @BizTechMagazine and the official conference Twitter feed, @RSAConference.

Getty Images/ scyther5