When an organisation’s systems are compromised, you often hear the term ‘cyber security incident’ – rather than ‘breach’ or ‘hack’.
But what’s the difference between the two terms?
At first the word ‘incident’ can sound relatively harmless. But how often do you hear it used to describe something positive? Almost never.
‘Incident’ is a troublesome word, almost always used as a euphemism for something disastrous or embarrassing.
The same applies for the term ‘cyber security incident’.
What does ‘cyber security incident’ mean?
‘Cyber security incident’ is a useful catch-all for the threats all organisations need to prepare for.
Unlike a breach, a cyber security incident doesn’t necessarily mean information is compromised; it only means that information is threatened.
For example, an organisation that successfully repels a cyber attack has experienced an incident, but not a breach.
Unfortunately, many organisations exploit the term’s ambiguity in public statements to avoid saying “we were breached”, or, “we don’t know what happened”.
This is obviously misleading, and you’re unlikely to fool the public or regulators with such doublespeak.
Data breaches are discussed in mainstream media outlets, and notifications are scrutinised on social media.
If you aren’t clear about exactly what you mean by ‘cyber security incident’, it’s likely that people will suspect the worst.
Cyber incident response management
The only viable way to make sure breach notifications are transparent is to have a CIRM (cyber incident response management) system.
This will help you identify and address threats promptly, ensuring that you know when and how a breach took place and what needs to be done to reduce the damage.
The stigma associated with the word ‘breach’ or ‘compromise’ is lessening as the public and regulators become accustomed to incidents.
They have come to accept that incidents are an inevitability, and unless there were egregious security failings, they only judge organisations on their ability to prepare for and respond when it happens.
Benefits of cyber incident response management
Incident response plans don’t only help organisations respond to cyber security incidents; they also prevent similar mistakes from happening again.
Organisations will have access to a wealth of information about how the incident occurred and what they did to address the issue, which can be used to shore up their defences and streamline their response measures.
CIRM also helps organisations comply with the EU GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems Regulations 2018).
Both require organisations to disclose high-risk breaches to their relevant supervisory authority within 72 hours of discovery.
The notification should include as much detail as possible about the nature and scope of the breach, as well as the steps the organisation has taken, or plans to take, to respond to the incident.
Additionally, Article 32 of the GDPR states that organisations must take “necessary technical and organisational measures” to ensure a high level of information security.
This includes the need to implement an effective incident response plan to contain any damage in the event of a data breach and to prevent future incidents from occurring.
Meanwhile, the NIS Regulations require organisations to produce:
- Detection processes and procedures, which should be regularly monitored to ensure that they are up to date and effective;
- Processes and policies for reporting vulnerabilities and security incidents;
- Procedures for documenting the response to cyber security incidents; and
- Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.
Incident response management with IT Governance
Our Incident Response Management Foundation Training Course will provide an introduction to developing an incident response programme according to the requirements of the GDPR and NIS Directive.
Find out how to effectively manage and respond to a disruptive incident and take appropriate steps to limit the damage to your business, reputation and brand.
A version of this blog was originally published on 23 November 2018.