As Cyber threats continue to grow and evolve, it is inevitable that businesses will experience an information security incident at some point. To deal with this growing threat, it is vital that organisations adopt practices that will allow them to rapidly identify, respond, and mitigate these types of incidents. The establishment of an effective incident management process will help educate and inform employees, improve organisational resilience, support business continuity, improve customer and stakeholder confidence, and reduce any potential financial impact following a major incident.
What is the risk?
Security incidents are inevitable, and they will vary in their business impact. All incidents need to be effectively managed, particularly those that invoke the organisation’s disaster recovery and business continuity plans. Some incidents can however be indicative of more severe underlying problems.
If businesses fail to implement an incident management capability that can detect, manage and analyse security incidents, the following risks could be realised:
A major disruption of business operations
Failure to realise that an incident has occurred and manage it effectively may compound the impact of the incident, leading to a long-term outage, serious financial loss and erosion of customer confidence.
Continual business disruption
An organisation that fails to address the root cause of incidents by addressing weaknesses in the corporate security architecture could be exposed to consistent and damaging business disruption.
Failure to comply with legal and regulatory reporting requirements
An incident resulting in the compromise of sensitive information covered by mandatory reporting controls that are not adhered to could lead to legal or regulatory penalties.
The organisation’s business profile will determine the type and nature of incidents that may occur, and the impact they will have risk-based approach that considers all business processes should be used to shape the incident management plans.
In addition, the quality and effectiveness of the security policies and the standards applied by the organisation will also be contributing factors to preventing incidents.
Incident Type Examples
Emailing information to a non-secure address (via an insecure route e.g. Home PCs).
Sending inappropriate content in contravention of local policy.
Emailing information assets to unauthorised recipients.
ID Cards, Keys & Warrants
Lost – Missing – Stolen – Not Returned – Includes access control tokens.
Those that can be disabled and those where there is a continuing risk.
Wide ranging but consider: Failed locks, doors wedged open – windows left open, alarms not set, door combinations unofficially shared with unauthorised personnel.
Failure to comply with procedures through lack of awareness.
Deliberate attempts to circumvent security measures.
Misconduct cases- data protection act breaches (Information made available to people who are not authorised to have it).
Sensitive information on paper not securely disposed of.
Use of an ICT system other than for its intended authorised purpose to satisfy private curiosity, rather than for a genuine investigation.
Successful and regular identification and quarantine of malware at or near a system boundary is not counted as an incident. Unusual or unexplained activity at a system boundary (e.g. potential denial of service attack) should be reported.
Unauthorised access to systems or data
Access rights incorrectly granted- Clear desk policy breaches.
Unattended equipment left logged on.
Breach policy- excessive personal use- disclosures on unsecured internet sites.
Unauthorised Person(s) on Premises
Failure in Technical access controls.
Failure in physical access procedures.
Password or account sharing.
Loss / Theft of Technology Assets
Laptop, PDA, Blackberry, Mobile Phone, USB Memory Sticks, Portable peripherals, Other Assets.
Lost including non-delivery by Royal Mail, courier, internal post.
Documents found insecure on desks, in cars, public transport etc.
Where data, including backups, is not stored as per its protective marking.
Vetting / Personnel
New employee, contractor or volunteer, allowed access to premises or data without clearance.
Use of private USB memory sticks to transfer data.
Unauthorised download / upload of data via USB ports or other media, e.g. CDs.
Masquerading as someone entitled to access to information or premises.
Use of equipment that has not been approved by the ICT department – generally items brought from home.
Commercial software installed without authority / licence.
MetaIncident has been designed to provide staff with an easily accessible and simple method of reporting possible security incidents. It also provides the necessary audits required by regulators and governance committees. If you would like further information on how this could benefit your business, click here