What is a cyber security incident?

You often hear the term ‘cyber security incident’ when an organisation’s systems are compromised rather than ‘breach’ or ‘hack’. What is the difference between those terms?

The word ‘incident’ sounds relatively harmless, but have you ever heard someone say, “there was an incident” when referring to something good?

‘Incident’ is a troublesome word, and one almost always used as a euphemism for something so disastrous or embarrassing that you need to be braced for what’s coming.

This is also the case for the term ‘cyber security incident’. It refers to any occurrence that threatens the confidentiality, integrity or availability of information. This might be the result of a cyber attack, perimeter breach or an insider threat (including policy violations).

When is the term used?

‘Cyber security incident’ is a useful catch-all for discussing the threats that organisations need to prepare for. It’s also helpful for clarifying the damage these scenarios can cause. Unlike a breach, a cyber security incident doesn’t necessarily mean information is compromised; it only means that information is threatened. So, for example, an organisation that successfully repels a cyber attack has experienced an incident, but not a breach.

Unfortunately, many organisations exploit the term’s ambiguity in public statements to avoid saying “we were breached” or “we don’t know what happened”.

This is obviously misleading, and you’re unlikely to fool the public or regulators with such doublespeak. Data breaches are discussed in mainstream media outlets, and notifications are scrutinised on social media. If you aren’t clear about exactly what you mean by ‘cyber security incident’, you will receive complaints and people will suspect the worst.

Cyber incident response management

The only viable way to make sure breach notifications are transparent is to have a CIRM (cyber incident response management) system. This will help you identify and address threats promptly, ensuring that you know when and how a breach took place and what needs to be done to reduce the damage.

The stigma associated with the word ‘breach’ or ‘compromise’ is lessening as the public and regulators become accustomed to incidents. They have come to accept that incidents are an inevitability, and unless there were egregious security failings, they only judge organisations on their ability to prepare for and respond when it happens.

Other benefits of CIRM

Incident response plans don’t only help organisations respond to cyber security incidents; they also prevent similar mistakes from happening again. Organisations will have access to a wealth of information about how the incident occurred and what they did to address the issue, which can be used to shore up their defences and streamline their response measures.

CIRM also helps organisations comply with the EU GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems Regulations 2018).

Both require organisations to disclose high-risk breaches to their relevant supervisory authority within 72 hours of discovery. The notification should include as much detail as possible about the nature and scope of the breach, as well as the steps the organisation has taken, or plans to take, to respond to the incident.

Additionally, Article 32 of the GDPR states that organisations must take “necessary technical and organisational measures” to ensure a high level of information security. This includes the need to implement an effective incident response plan to contain any damage in the event of a data breach and to prevent future incidents from occurring.

Meanwhile, the NIS Regulations require organisations to produce:

  • Detection processes and procedures, which should be regularly monitored to ensure that they are up to date and effective;
  • Processes and policies for reporting vulnerabilities and security incidents;
  • Procedures for documenting the response to cyber security incidents; and
  • Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.

CIRM with IT Governance

Our Incident Response Management Foundation Training Course will provide an introduction to developing an incident response programme according to the requirements of the GDPR and NIS Directive.

Find out how to effectively manage and respond to a disruptive incident and take appropriate steps to limit the damage to your business, reputation and brand.

Find out more >>

One Response

  1. Jon Stitzel 26th November 2018