What Is a Cyber Security Incident?

When an organisation’s systems are compromised, you often hear the term ‘cyber security incident’ – rather than ‘breach’ or ‘hack’.

But what’s the difference between the two terms?

At first, the word ‘incident’ can sound relatively harmless. But how often do you hear it used to describe something positive? Almost never.

‘Incident’ is a troublesome word, almost always used as a euphemism for something disastrous or embarrassing.

The same applies to the term ‘cyber security incident’.

Cyber incident definition

‘Cyber security incident’ is a useful catch-all for the threats all organisations need to prepare for.

Unlike a breach, a cyber security incident doesn’t necessarily mean information is compromised; it only means that information is threatened.

For example, an organisation that successfully repels a cyber attack has experienced an incident, but not a breach.

Unfortunately, many organisations exploit the term’s ambiguity in public statements to avoid saying “we were breached”, or, “we don’t know what happened”.

This is obviously misleading, and you’re unlikely to fool the public or regulators with such doublespeak.

Data breaches are discussed in mainstream media outlets, and notifications are scrutinised on social media.

If you aren’t clear about exactly what you mean by ‘cyber security incident’, it’s likely that people will suspect the worst.

Cyber incident examples

  • Phishing attack

Phishing scams are designed to trick people into handing over sensitive information or downloading malware.

Crooks do this by sending a supposedly official correspondence that imitates a legitimate organisation. This is typically an email, but phishing can also take place on social media, text message or over the phone.

  • Ransomware

Ransomware is a type of malware that spreads through a computer or network, and is designed to encrypt files.

The attackers then demand payment for a decryption key that will unlock the information. Ransom demands can vary greatly, depending on the size of the organisation – but experts urge organisations not to pay up however tempting it might seem.

This is because the money helps to fuel the cyber crime industry and could make you a soft target for future attacks. Moreover, there is no guarantee that the criminals will keep to their word once they’ve received payment.

  • DDoS (distributed denial of service attack)

DDoS attacks attempt to disrupt an organisation by flooding its network traffic with requests, which slows down its systems or causes them to crash.

These attacks are conducted for a variety of reasons. They are often simply intended as a nuisance to annoy customers and give employees extra work. However, they can also be a distraction for more sophisticated attacks.

  • System misconfiguration

Unlike the other examples, system misconfigurations don’t involve criminal hacking.

Rather, they occur when employees mishandle sensitive data and make it publicly accessible.

This often happens when someone fails to password-protect a database that’s stored in the Cloud.

  • SQL injection

Attackers can access an organisation’s sensitive information when they target a server that uses SQL (Structured Query Language).

They can do this by looking for security vulnerabilities in an application’s software, which would enable them to insert malware and view or modify the organisation’s data.

Cyber incident response management

The only viable way to make sure breach notifications are transparent is to have a CIRM (cyber incident response management) system.

A CIRM will help you identify and address threats promptly. This ensures that you know when and how a breach took place, and what needs to be done to reduce the damage.

The stigma associated with the word ‘breach’ or ‘compromise’ is lessening as the public and regulators become accustomed to incidents.

They have come to accept that incidents are an inevitability. Unless there were egregious security failings, they only judge organisations on their ability to prepare for and respond when it happens.

If you find yourself facing a cyber security disaster, IT Governance is here to help. Our Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.

They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.

Find out more

Benefits of cyber incident response management

Incident response plans don’t only help organisations respond to cyber security incidents; they also prevent similar mistakes from happening again.

Organisations will have access to a wealth of information about how the incident occurred and what they did to address the issue. This can be used to shore up their defences and streamline their response measures.

CIRM also helps organisations comply with the GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems Regulations 2018).

Both require organisations to disclose high-risk breaches to their relevant supervisory authority within 72 hours of discovery.

The notification should include as much detail as possible about the nature and scope of the breach. It should also detail the steps the organisation has taken (or plans to take) to respond to the incident.

Additionally, Article 32 of the GDPR states that organisations must take “necessary technical and organisational measures” to ensure a high level of information security.

This includes the need to implement an effective incident response plan to contain any damage in the event of a data breach and to prevent future incidents from occurring.

Meanwhile, the NIS Regulations require organisations to produce:

  • Detection processes and procedures, which should be regularly monitored to ensure that they are up to date and effective;
  • Processes and policies for reporting vulnerabilities and security incidents;
  • Procedures for documenting the response to cyber security incidents; and
  • Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.

Incident response management with IT Governance

Our Incident Response Management Foundation Training Course provides an introduction to developing an incident response programme in line with the requirements of the GDPR and NIS Directive.

Find out how to effectively manage and respond to a disruptive incident and take appropriate steps to limit the damage to your business, reputation and brand.

A version of this blog was originally published on 23 November 2018.

About The Author

Luke Irwin

Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

One Response

  1. Jon Stitzel 26th November 2018

    The use of the term “incident” can also lead to unforeseen confusion or unintended consequences. The two biggest examples I can think of are;

    In ITIL, incident is defined as “An unplanned interruption to an IT Service or reduction in the quality of an IT service. Failure of a configuration item that has not yet affected service is also an incident — for example, failure of one disk from a mirror set.” This is a very broad definition.

    On the other hand, if we’re talking about regulatory or statutory compliance, an Incident is usually something severe enough that it needs to be reported to proper authorities (whoever that may be).

    Language matters. Be careful how you use the word “incident”, and be clear about your meaning.