For almost three decades, the security industry has harped on incident response as the single most important security process for every organization: “See something? Hear something? Say something!” Or, “Report all potential security incidents immediately,” experts warn.
But why the urgency? Why is “immediately” so necessary? Why can’t you wait until after a meeting or lunch to report an incident? Because resolution is all about time.
Think about it this way: How much damage can a security incident cause in one minute? How much damage can that same incident cause if left unreported for one hour? Is that 60 times the potential damage? Or what about one day, or even a week or longer? You simply don’t know; all the more reason to report any suspected security event as quickly as possible.
The longer a security event goes unreported, the greater the potential damage. Advanced Persistent Threats (APTs) often go unnoticed and unreported for more than a year. How much information can a criminal or hostile nation-state steal in a year? How much damage would be done? What would it cost?
Security Is All About Detection and Reaction
Detection: The moment a potential security event gets noticed.
An employee finds a random USB drive in the parking lot right outside of her organization’s building.
Reaction: How quickly a potential security event gets reported.
Does she turn the drive in through the proper channels immediately, or does she respond to a few urgent emails and return a few clients’ phone calls first?
Exposure: The amount of time between detection and reaction.
Once she does finally report the USB drive, how long does it take her organization to react?
If the first goal of information security is to reduce security events, then the second goal is to reduce exposure time (during which your organization is most vulnerable) to those events. How do you accomplish that? By training your employees to not just identify incidents, but to understand the importance of reporting them ASAP. Every end-user should know what to look out for and what to do when they “see something” or “hear something.”
From there, it’s up to the organization to have an incident response plan in place. Without it, recovery efforts will be ineffective and long-term damage could be devastating. That’s why every organization, regardless of size or industry, should develop an incident response plan that provides a playbook for handling security events in a timely manner. To learn more, check out this article covering incident response in five easy steps. And consider leaning on the NIST Cybersecurity Framework as your guide to implementing a robust security process that strengthens every aspect of your organization’s cyber defense.
Remember, time is not on your side. And the sooner you detect and react, the greater your chances of reducing long-term effects.