The Blame Game: The problem of post-incident review
You’ve been breached, gone through the Incident Response (IR) plan. Identified, mitigated, and informed the necessary authorities and communicated with affected parties. But the next stage is perhaps the most crucial part of the process and the one that also tends to be mismanaged. Post incident review tries to learn from the process, what just happened, how it was dealt with, and where there’s room for improvement.
Much like the post-match analysis that follows every football game, post incident review assesses the highs and lows in order to determine how effective IR has been and how defences can be bolstered to strengthen the organisation’s ability to withstand future attacks.
The review seeks to capture the entire span of the incident and typically comprises a three step process, according to industry body, CREST. The review details all the steps taken during IR, and this is followed by the formal documentation of all the lessons learned which are supplied to all stakeholders. The final stage then sees the IR plan itself revised and updated. In theory, this should then lead to improvements that will help mitigate the risk of a recurrence, shorten detection time, improve diagnosis, prioritisation and the allocation of resource.
Long term repercussions
This kind of wash-up is vitally important because breaches can cost big time. Research carried out into how a data breach affects stock price found the affect can be cumulative, shaving significant value off the business, so that after a year the share price drops 8.6 percent on average, dropping further to 11.3 percent after two years and 15.6 percent after three years, even though the impact of the data breach itself will have lessened. The average cost of a data breach in 2022 is said to be $4.35million but those businesses with an IR team and which regularly test the IR plan are estimated to save $2.66million, according to IBM’s Cost of a Data Breach Report 2022.
Reducing the prospect of further breaches is therefore very much in the interests of senior management. But, according to the ISC(2) Cybersecurity Workforce Study 2022, the focus of corporate tends to be predominantly on the performance of the security team itself, with 40 percent saying they felt under increased scrutiny and 41 percent reporting an increase in workloads post-breach. Interestingly, very little investment then tended to result, with only 20 percent saying a high-profile breach would lead to further spend and only 16 percent in the hiring of more staff. And, somewhat worryingly, 8 percent said no changes were made at all.
Consequently, this type of post-breach mismanagement tends to lead to another less well-charted impact – workforce attrition. Feeling under-supported and overwhelmed, the security team is placed at higher risk of burnout. The same report found a negative culture, burnout and stress came in third and fourth place, respectively, after salary and career progression, as the top causes of why cybersecurity staff quit. This is cause for concern because, at a time when skills shortages are growing, you really don’t want to lose valuable cybersecurity resource. (The survey found that the cybersecurity skills gap increased 73 percent over the course of the year, equivalent to 56,811 unfilled vacancies in the UK, while the Department for Culture, Media and Sport predicts an annual shortfall of 14,000 entrants into the profession.)
Of course, reviewing data breaches is also a regulatory obligation. The Information Commissioner’s Office (ICO) states that breaches should be analysed to prevent a recurrence, that the type, volume and cost of the breach should be monitored, and that trend analysis should be conducted over time to facilitate understanding. It will also want to see awareness of the lessons learned and evidence that the steps taken were effective.
With the ISC(2) report revealing there’s little investment being made in measures that would prevent a recurrence, it’s clear that some companies would be viewed as non-compliant by the ICO and they’re not in the minority. The OWASP Top 10 Privacy Risks places insufficient data breach response third on the list and released its counter measures this year. Actions classed as ‘insufficient’ included not informing affected parties about the breach, a failure to remedy the situation by fixing the cause, and/or not attempting to limit the data leak.
Cause and effect
It’s important to realise here that many of these failings are not due to technology but a poor security culture. In fact, the breach itself can often be indicative of this, systemic issues or operational failure. If security is not embedded throughout the organisation and its business processes, the security team becomes solely responsible and is doomed to fail.
So what can organisations do to improve their post-breach response, boost morale and staff retention? In reality, any serious data breach should result in changes not just to the IR plan but to policies and procedures and potentially further investment in resource whether that be people or technology.
The cybersecurity team needs to be equipped with the necessary resource to prevent recurrence but they also need to be supported and for that to happen, security should be regarded as a shared responsibility throughout the business. Regular auditing, both internally and externally such as through a penetration test, can provide ongoing assessment on the effectiveness of the IR plan and can provide some objectivity. And the IR plan itself should be regarded as a ‘living document’ and be regularly updated in line with any change to the business, such as new people, acquisitions, service offerings etc.
That said, we also need to eradicate the culture of blame. Senior management needs to listen to and value the analysis from the cybersecurity team and look at where investment can be made to effectively and efficiently reduce risk. Deprived of grass roots support, the danger is the team will become disillusioned and disaffected, resulting in quiet quitting or them leaving within the next few years. Therefore, any investment post breach isn’t just about reducing the likelihood of a recurrence, it’s an investment in the team itself and serves as recognition of and validation of their efforts and could well make the difference between whether they stay or go.