Secure your business

Towards a whole of organisation incident response plan

Highlights
  • Keep Incident response rehearsals “real” to engage stakeholders from the C-suite and non-technical departments.
  • Plans need to be kept current, including new workflows, responsibilities, technologies and vendors.
  • Red teaming is an effective way to identify and rectify weaknesses and omissions in your plan. 

Most Australian organisations have an incident response plan in place, but many security professionals face challenges engaging crucial stakeholders outside IT.

The Telstra Security Report 2018 found that 76 per cent of Australian organisations have an incident responseplan in place and while this does leave room for improvement, it represents encouraging growth over the previous year.

Timely Incident Response - Planning your response to a security incident

They’re also testing their plan more often, with 80 per cent of Australian organisations surveyed saying that they test their plan at least quarterly.

However, Thomas King, Head of Cyber Security Products at Telstra, says that there’s significant variance in the quality of these plans and specifically, the likelihood that they’ll be followed during an actual crisis. 

“When I first saw the results, I was sceptical,” says King. “Three in four companies having a plan is great, I think the amendments to the privacy legislation have made companies feel like they need one. But from what I’ve seen in the market, I don’t think 76 per cent of companies have a plan that could be followed throughout a real incident.”

He attributes this to the difficulty many security stakeholders have securing the time and attention of time-poor executives, as well as tendency for today’s businesses to change faster than their plan can be updated.

“Generally, the better the plan is, the more closely it will be followed. It's just natural for you to follow it because it's the easiest way to actually manage the incident. However, if a plan doesn't reflect the organisational culture and how the organisation operates in a crisis, of course, then it is far less likely to actually be used.”

Find out more about our 24x7 Incident Response retainer, which gives you priority access to Telstra’s highly-skilled and experienced Computer Emergency Response Team.

Find Out More

Make it real

One of the most effective ways to engage people who don’t share security in their core remit is to contextualise the plan’s importance to protecting things they do care about.

“The most effective rehearsal for your incident response plan is a real incident,” says King. “If you don't have a real incident to test, then generally a simulation is the next best bet. That simulation can be anything from a tabletop activity, where you get an example scenario and maybe third-party facilitation, to actually run through that scenario.”

He suggests starting with the potential threats to the “crown jewels”, such as a critical compromise of personal data such as healthcare records or financial transactions, or an interruption to key operations, which could be anything from a ransomware outbreak, or the compromise of industrial machinery.

“If you can make that real, with real examples for executives, that will generally get their buy in because they will understand that you are talking about something near and dear to them and something that really is of direct relevance to the success of the business” 

Thomas King, Head of Cyber Security Products, Telstra Enterprise

“If you talk about it in esoteric terms, and make it too technical, then you'll lose them. If you can make it real with real insights and reflect real business practices and priorities, you will get executive buy in and you will get their attention.”

By contextualising an incident response rehearsal in core business priorities, or even combining it with a simulation of a general emergency you can also identify “perfect storms”, where external circumstances could complicate your security response and devise ways to overcome them.

While this can be orchestrated by personnel within the company, it can be more effective to bring in external specialists who can serve as a more effective “red team” by exposing flaws in the plan created by assumptions shared within your organisation.

Man on mobile and laptop

Include the supply chain

In 2018, it’s not enough for your incident response plan to incorporate just your organisation – the proliferation of mission critical data, such as HR or financial records, into cloud services increasingly means that vendors need to be included too.

“You do need to understand how those services are provided or how you will work with those service providers should you have an incident. How will you get information from them if they have a breach?”

King says this is particularly important in light of the short customer notification deadline that recent security legislation gives businesses.

“I think GDPR is the gold standard in this space with its three day reporting. Three days essentially means if you're a business that works 9 to 5, and an incident happens on a Friday night, you're going to have to be literally reporting within a few hours of you finding out about it on Monday,” he says.

“Across the industry, the time it takes from when the incident is first detected until we can talk to our customers needs to be shortened.”

Regularly testing the lines of communication your organisation would use in case of a crisis is a good first step, he says, to ensuring they remain clear and responsive in case of a real data breach.

Related News

Choosing the right network partner
Reach global markets
Reach global markets
Choosing the right network partner

You need a trusted network partner to support your business’ growth. We look at the questions you need to find that partner. An effective digital strategy is a prerequisite for...

Think as one: Bringing your cloud and network together
Optimise your IT
Optimise your IT
Think as one: Bringing your cloud and network together

When your underpinning network and cloud foundation work as one, the promise of innovation can become a reality. Learn how to converge your network and cloud. Together, the ne...

A woman using virtual reality headset
Secure your business
Secure your business
The future of security: Threats, trends and investments

From rising budgets to machine learning, we look at the future trends changing the Australian security landscape. With the security landscape continuing to grow more complex, w...

Better together: Electronic and cyber security convergence
Secure your business
Secure your business
Better together: Electronic and cyber security convergence

Aligning your approach to physical security devices with your cyber security strategy is giving Australian organisations greater visibility over their security estate. Across A...