Sensitive data always attracts the attention of cyber-attackers. Whether organizations realize being attacked or not, regardless of the scale of their business, every organization is susceptible to cyber threats. To maintain a healthy reputation, customer trust, less impact on compromised data, and avoid potential revenue loss, organizations need to have an incident handling and response team. With that, these organizations also need to follow the stringent global privacy laws, regulations, and compliance standards. But some factors that hinder the building of an efficient incident handling team – restricted budget and limited understanding of the importance of incident handling.
This article will focus on the different challenges that every incident handling team faces. It will also dwell on additional information that can improve an existing incident handling plan.
Top 3 Challenges that An Incident Management Team Faces
As per evaluation, there are a few common challenges that usually occur while managing an incident. Resolving these issues will result in better management of security incidents.
Challenge 1: Incident Detection
Security incidents occur in many forms, which makes their identification difficult. Unusual behavior of a privileged user, unauthorized insider attempting to get access to sensitive data or servers, discrepancies in outgoing network traffic, configuration alteration, and many other incidents go unnoticed. As per the M-Trends 2019 report, between October 1, 2017, and September 30, 2018, the global median incident detection time “dwell time” was 78 days. There are some common reasons for the delay in incident detection – assigning such crucial tasks to recently trained employees who don’t understand the urgency of reporting a security incident or who are not familiar with what classifies as “incident.” Even after successful incident detection, the issue lies in fast incident escalation.
Timeliness and efficiency are two critical components for effective incident handling. Keeping a close eye at the timeline of the entire incident handling procedure will help set the benchmark at different phases. Monitor and track the time taken to discover the incident, escalate it, assess the risk, contain the threat, and conduct a complete forensic investigation.
Challenge 2: Strict Breach Notification Component
Nationally and internationally, different data privacy laws mention a clear plan for security breach notification. These laws are usually mandatory and keep updating with time. The regular changes in regulatory compliance make it a difficult job for the incident handling team to maintain a constant pace. The Cost of Compliance Survey by Thomson Reuters indicates that, on average, there are 216 regulatory updates a day.
Challenge 3: Lack of Incident Handling Budget
Traditionally, the budget planned for incident management is lesser than IT expenditures. According to the IAPP-EY Annual Privacy Governance Report 2018, the average privacy budget has dropped from $2.1 million (2017) to $1 million (2018). A few common reasons for this massive decline are – spending a large sum of money on regulatory compliance preparation cycle or spending over the limit in the previous year.
To bridge this budget gap, the team needs to make sure that board members and executives of the organization understand the value of the privacy program.
Other Challenges and Solutions to Improve a Deficient Incident Handling Plan
Generally, incident handling teams face issues while dealing with a few threats, which include –
Challenge: No Program for Insider Threats
2018’s Insider Threat Report confirmed that 90% of organizations feel vulnerable to insider attacks. Under the same survey, cybersecurity professionals expressed that the three major risk factors for insider threats are – high number of users having excessive access privileges (37%), increasing sensitive data access devices (36%), and the growing complexity of information technology.
With such a worrisome progressing rate, addressing insider threats with an exclusive program is highly required. This program should focus on dealing with the compromise, theft, and sabotage of valuable assets and critical data because of insider threats.
Build an organized insider threat program with the precise classification of roles and responsibilities. The program should contain the criteria for categorizing a threat as an insider threat, the procedure to conduct inquiries, and proper practices to stop it from happening in the future.
Challenge: No Database to Segregate Critical Assets
A proper data management process is required to maintain a database for all the critical assets of an organization. In the absence of such a dedicated asset list, it gets difficult for the incident handling team to defend or protect the assets from potential cyber threats.
Create an inventory for all the active and inactive assets. This database should be updated regularly. Apart from maintaining a database, there should be a provision of ‘Asset Management Logs’ – a record for the movement of assets. Reviewing and analyzing this log for suspicious activities will also help the team to identify an incident as soon as it occurs.
With the sudden changes in regulatory compliance, the incident handling team struggles to maintain a budget for the privacy program. Organizations need a reliable and robust incident handling and response plan that can successfully detect, escalate, assess, and notify the high volume of incidents. This plan should be scalable and comprehensive to cover different types of security incidents.
To learn guaranteed solutions for overcoming the challenges mentioned above, take a look at EC-Council Certified Incident Handler (E|CIH). E|CIH is designed and presented by the experts of the cybersecurity industry. It is a dedicated program that comprehensively covers the knowledge and skills to handle security incidents effectively. This lab-intensive program focuses on helping the candidates to acquire practically applicable, industry-required knowledge and skillsets. The program is 100% compliant with NICE and CREST frameworks, indicating its accordance with real-world incident handling experiences.