The Blame Game: The problem of post-incident review

You’ve been breached, gone through the Incident Response (IR) plan. Identified, mitigated, and informed the necessary authorities and communicated with affected parties. But the next stage is perhaps the most crucial part of the process and the one that also tends to be mismanaged. Post incident review tries to learn from the process, what just happened, how it was dealt with, and where there’s room for improvement. 

Much like the post-match analysis that follows every football game, post incident review assesses the highs and lows in order to determine how effective IR has been and how defences can be bolstered to strengthen the organisation’s ability to withstand future attacks. 

The review seeks to capture the entire span of the incident and typically comprises a three step process, according to industry body, CREST. The review details all the steps taken during IR, and this is followed by the formal documentation of all the lessons learned which are supplied to all stakeholders. The final stage then sees the IR plan itself revised and updated. In theory, this should then lead to improvements that will help mitigate the risk of a recurrence, shorten detection time, improve diagnosis, prioritisation and the allocation of resource. 

Long term repercussions

This kind of wash-up is vitally important because breaches can cost big time. Research carried out into how a data breach affects stock price found the affect can be cumulative, shaving significant value off the business, so that after a year the share price drops 8.6 percent on average, dropping further to 11.3 percent after two years and 15.6 percent after three years, even though the impact of the data breach itself will have lessened. The average cost of a data breach in 2022 is said to be $4.35million but those businesses with an IR team and which regularly test the IR plan are estimated to save $2.66million, according to IBM’s Cost of a Data Breach Report 2022. 

Reducing the prospect of further breaches is therefore very much in the interests of senior management. But, according to the ISC(2) Cybersecurity Workforce Study 2022, the focus of corporate tends to be predominantly on the performance of the security team itself, with 40 percent saying they felt under increased scrutiny and 41 percent reporting an increase in workloads post-breach. Interestingly, very little investment then tended to result, with only 20 percent saying a high-profile breach would lead to further spend and only 16 percent in the hiring of more staff. And, somewhat worryingly, 8 percent said no changes were made at all.

Consequently, this type of post-breach mismanagement tends to lead to another less well-charted impact – workforce attrition. Feeling under-supported and overwhelmed, the security team is placed at higher risk of burnout. The same report found a negative culture, burnout and stress came in third and fourth place, respectively, after salary and career progression, as the top causes of why cybersecurity staff quit. This is cause for concern because, at a time when skills shortages are growing, you really don’t want to lose valuable cybersecurity resource. (The survey found that the cybersecurity skills gap increased 73 percent over the course of the year, equivalent to 56,811 unfilled vacancies in the UK, while the Department for Culture, Media and Sport predicts an annual shortfall of 14,000 entrants into the profession.)

Of course, reviewing data breaches is also a regulatory obligation. The Information Commissioner’s Office (ICO) states that breaches should be analysed to prevent a recurrence, that the type, volume and cost of the breach should be monitored, and that trend analysis should be conducted over time to facilitate understanding. It will also want to see awareness of the lessons learned and evidence that the steps taken were effective. 

With the ISC(2) report revealing there’s little investment being made in measures that would prevent a recurrence, it’s clear that some companies would be viewed as non-compliant by the ICO and they’re not in the minority. The OWASP Top 10 Privacy Risks places insufficient data breach response third on the list and released its counter measures this year. Actions classed as ‘insufficient’ included not informing affected parties about the breach, a failure to remedy the situation by fixing the cause, and/or not attempting to limit the data leak. 

Cause and effect

It’s important to realise here that many of these failings are not due to technology but a poor security culture. In fact, the breach itself can often be indicative of this, systemic issues or operational failure. If security is not embedded throughout the organisation and its business processes, the security team becomes solely responsible and is doomed to fail.

So what can organisations do to improve their post-breach response, boost morale and staff retention? In reality, any serious data breach should result in changes not just to the IR plan but to policies and procedures and potentially further investment in resource whether that be people or technology.  

The cybersecurity team needs to be equipped with the necessary resource to prevent recurrence but they also need to be supported and for that to happen, security should be regarded as a shared responsibility throughout the business. Regular auditing, both internally and externally such as through a penetration test, can provide ongoing assessment on the effectiveness of the IR plan and can provide some objectivity. And the IR plan itself should be regarded as a ‘living document’ and be regularly updated in line with any change to the business, such as new people, acquisitions, service offerings etc. 

That said, we also need to eradicate the culture of blame. Senior management needs to listen to and value the analysis from the cybersecurity team and look at where investment can be made to effectively and efficiently reduce risk. Deprived of grass roots support, the danger is the team will become disillusioned and disaffected, resulting in quiet quitting or them leaving within the next few years. Therefore, any investment post breach isn’t just about reducing the likelihood of a recurrence, it’s an investment in the team itself and serves as recognition of and validation of their efforts and could well make the difference between whether they stay or go.

Jamal Elmellas

Jamal Elmellas is Chief Operating Officer for Focus-on-Security, the cyber security recruitment agency, where he oversees selection and recruitment services. He previously founded and was CTO of a successful security consultancy where he delivered secure ICT services for government and private sector organisations. Jamal has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...