Many savvy businesses are investing time and thought into data breach response plans. But plans rarely survive first contact with the enemy. That's why it's important to stress test your incident response plan to find and resolve its weaknesses while time is on your side.
Studies show that a swift response to a security incident retains customer trust—and saves costs. Breaches contained within 30 days of discovery cost an average of $5.24 million. If it takes more than 30 days to contain the breach, the average cost increases to $8.85 million, according to the Ponemon Institute's “2016 Cost of Data Breach Study United States."
But speed can’t be mandated by the plan. For this reason, your firm and your clients should stress test your IRP on a semiannual or annual basis. When stress testing an IRP, it’s best practice to go through the motions as if your company were experiencing an active data breach. Everyone who has a role in the response plan assembles in one room and, in the context of specific scenarios, discusses their actions and the order of operations. The goal is to get everyone familiar with their roles and responsibilities.
Here are three recommendations to make the most of your stress testing exercises.
1. Focus on the most likely scenarios
You’re more likely to encounter ransomware via a phishing email than a dedicated nation-state penetrating your firewall. As such, focus your stress test on the scenarios that are most likely and threaten the worst potential consequences.
By the time you work your way down to less-likely and less-costly threats, you’ll already have covered the common elements of your response. Knowing how to adapt your plan to a specific threat is an expertise unto itself; one that won’t emerge naturally in the planning phase.
The threat model, kill chain and consequences of ransomware will differ from stolen equipment. If your top two likely scenarios are similar, you’re right to consider one stress test sufficient and use your remaining time to consider a somewhat less likely threat that could require a different response.
2. Make it more than a technical exercise
By the time Target alerted its customers about its historic breach in December 2013, several days already had passed. The delay impacted consumer faith and the retailer's bottom line, and was a consequence of Target’s leadership treating the breach as a purely technical issue.
Since nontechnical staff must be involved in a real incident response, they should participate in stress-test activities, too. In addition to the board and IT, the incident response team must include: legal (internal and external), PR (internal and external), and HR (if employee data was exposed).
Here you have to strike a balance between internal staff and external specialists. Insiders will be more familiar with your company’s history, mission, situation, sensitivities, etc. But they already have a full plate of responsibilities. Are you going to divert them to manage the response to an incident? Outside experts in breach response management can take on that extra work, and streamline the response with their expertise.
3. Apply lessons learned
The true benefit of a stress test is the analysis following the experience. The whole point is to make improvements to your plan—actually responding to what went wrong and reinforcing what went right.
Your breach response plan should include a commitment that, at the end of the threat plus a few days for reflection, you assemble your incident response team to discuss the exercise. Someone has to be responsible for that component of the process, otherwise it will all fall through the cracks.
One final thought: Many organizations have some kind of tracking application for internal process improvement. Perhaps an annual audit or internal audit. The findings from those audits will be tagged, tracked and integrated into a workflow. Apply these tools to designate participants who will implement the incident response team’s recommendations within a certain period of time.
As mentioned in the introduction, the benefits of organizing and testing your incident response plan could far outweigh the costs. Multiply this potential ROI by the growing chances of a data breach, and you have a strong argument for allocating some budget for an annual stress test, at least. Finally, factor in the peace of mind your C-suite and incident response team will gain when they feel confident in their response plan, and we believe you’ll arrive at a compelling argument to place stress tests near the top of your to-do list.
Eric Hodge is Director of Consulting. Rich Blumberg, Director of Data Breach Response at CyberScout, also contributed to this article.