- The report suggests simply having an Incident Response (IR) plan in place is not sufficient for organizations.
- The report accumulates data and analysis from IR plan assessments and data breach simulations from the year 2016 to 2018.
With businesses now more aware of how cybercrime impacts their bottom line, Verizon's Incident Preparedness and Response Report 2019 provides organizations with insights into build an effective breach response capability and a more robust IR Plan.
About the report
The “Taming the Data Breach” edition accumulates data and analysis from three years (2016-2018) of Incident Response Plan (IRP) assessments and data breach simulations conducted by Verizon.
- Among all assessed IR Plans and simulated breaches (2016–2018), the top customer industries were Finance and Insurance (33%), Retail Trade (17%), and Manufacturing (15%).
- For assessments and simulations (2016–2018), the top customer departments requesting these services were Information Security (62%), Risk Management and Compliance (14%), Incident Response and Investigations (10%), and Information Technology (8%).
Bryan Sartin, Executive Director, Verizon Global Security Services says, “Companies think that having an IR Plan on file means they are prepared for a cyber-attack. But often these plans haven’t been touched, updated or practiced in years and are not cyber-incident-ready.”
Major Takeaways for Six Phases of IR
The report identifies six typical phases that every IR Plan should have. The following are the recommendations for each phase.
Planning and Preparation
- Construct a logical, efficient IR Plan
- Create IR playbooks for specific incidents
- Periodically review, test and update the IR Plan
- Cite external and internal cybersecurity and incident response governance and standards
- Define internal IR stakeholder roles and responsibilities
- Require internal IR stakeholders to periodically discuss the cybersecurity threat landscape
- Train and maintain skilled tactical responders
- Periodically review third-party cybersecurity services and contact procedures
Detection and Validation
- Define cybersecurity events (along with incidents)
- Classify incidents by type and severity level
- Describe technical and non-technical incident
- detection sources
- Specify incident and event tracking mechanisms
- Specify escalation and notification procedures
Containment and Eradication
- Provide containment and eradication measures
Collection and Analysis
- Specify evidence collection and data analysis tools and procedures
- Specify evidence handling and submission procedures
Remediation and Recovery
- Provide remediation and recovery measures. (The recovery shall not only ensure recovery and restoration but also prevent, or mitigate, future incidents.)
Assessment and Adjustment
- Conduct post-incident lessons-learned activities (feed results back into the IR Plan)
- Establish data and document retention policy
- Track incident and incident response metrics
According to John Grim from Verizon Threat Research Advisory Center (VTRAC) and Investigative Response Team, IR Plans can be kept updated if one includes stakeholder feedback, teachings from breach simulation testing as well as the right insights from the last cyber-tactics being used. This proactive approach helps businesses update their plan in the ever-changing cyber-security landscape constantly.