Why Security Incident Management Matters

Hands typing on a laptop representing why security incident management matters.

Resolving a security breach in less than 200 days lowers the cost by roughly 37%.

All cybersecurity experts agree that cyber attacks are inevitable, and even the best technological solutions will not block all malicious attempts. Since hackers have no intention of stopping, everyone is basically always at risk of an attack. However, through security incident management and implementing your organization’s incident response plan, an attack doesn’t have to result in financial loss.

Incident reporting is key to mitigating the potential financial damage these criminals can inflict. If employees can identify hackers’ efforts as quickly as possible, and your team has a solid incident response plan to block them, the impact from the incident can be minimized.

Industry experience supports this fact. For example, in the first quarter of 2020, one company reported the following:

  • Multiple unauthorized scans every hour for backdoors into its network
  • 22 million spam and phishing emails blocked per month
  • A five-fold increase in phishing messages due to the coronavirus pandemic
  • Emails found impersonating the company CEO

In each instance, the company’s security team was notified and resolved the issue through security incident management with limited impact to the work environment – in many cases, because users recognized a potential problem and reported it. 

Without reporting, corrective action is delayed, and damage can increase. Also, reporting helps to assure legal protection. If the causes of security incidents are not addressed, your organization could be liable in the event of a breach.

What is a security incident?

A security incident is an event that puts sensitive data at risk of exposure and leads to a violation of an organization’s security policies. A “security incident” is a broad term that includes many different kinds of events, including:

  • attempts (successful or failed) to gain unauthorized access to a system or data
  • unwanted interference or disruption of service
  • unauthorized use of a system
  • changes to a system/software without the owner’s knowledge or consent
  • compromised user accounts
  • device theft any of these incidents involving a third-party provider

Cost of a breach

According to the Ponemon Institute, in the U.S., the average cost of a breach in 2020 was $8.64 million.

The hacker’s share is only a tiny portion of the overall cost of a breach; the business costs for addressing any breach are high. Breaches require forensic analysis to identify the leak, programming costs associated with containing it, a process to notify victims, the post-breach response (help desk, credit monitoring, legal expenses, replacing cards, etc.), and fines from the increasing privacy legislation worldwide.

The same report from Ponemon Institute also found that time is money. Identifying and resolving a breach in 200 days or less significantly lowers the cost – by roughly $3 million, meaning identifying the problem faster has a considerable impact. This critical initial step in your security incident management is one place where every member of your organization can make a difference!

What is a data breach?

A data breach is a type of security incident. Unlike a breach, a security incident doesn’t necessarily mean the information is compromised; it only means that information is threatened. There is a relatively low chance that a security incident will result in data loss and, therefore, qualify as a data breach. Despite these low odds, you should treat every security incident as a potential breach. Various regulations require that companies approach security incidents in this way. A security incident can involve any class of data, including sensitive personal information or intellectual property.

Why employees do not report

People fail to file incident reports for a plethora of reasons. They may feel the incident was minute and did not warrant a report, or they may not even recognize it as an incident at all. If someone caused the incident, they might fear embarrassment or punishment. If the incident involves a coworker, no one wants to be seen as a snitch or risk being socially ostracized or subject to harassment.

To strengthen your security incident management, find ways to encourage your employees to own their place in your company’s incident response plan. Offering protection policies, user-friendly reporting methods and security awareness training are some of the many ways you can improve your Human Firewall through engagement and participation.

Reportable cybersecurity incidents

When your computer, mobile device or account is compromised, cyber attackers often take steps to obscure their actions. For example, your computer can be reprogrammed by hackers to lie to you, to tell you everything is okay when this is not the case in actuality. However, cyber attackers sometimes leave clues, often called indicators, that they are trying to gain access or you have been hacked.

If you notice any of the following issues happening sometimes or frequently, please report the incident:

Email Issues

  • You receive a suspicious message that you think is phishing (by email), vishing (by phone/voice) or smishing (by text or chat)
  • Friends ask you why you’re spamming them with emails or messages that you know you never sent

System Issues

  • Your system appears to be less responsive than expected
    • The computer stops responding (freezes) more frequently or keeps crashing
    • The computer takes longer to start up
    • A program/application will not start or crash frequently
  • You’re getting unusual alerts
    • An anti-virus software alerts you that your computer is infected
    • A program requests authorization to make changes to your system, especially if you’re not installing or updating any applications at the moment
    • You receive notifications from your firewall that a program you do not recognize is requesting permission to access the Internet
  • New icons are added to your desktop, and you didn’t install any software
  • There are new accounts on your computer or device that you did not create or new programs running that you did not install
  • When you attempt to log in to your system or an online account, your password no longer works even though you know your password is correct
  • You believe you may have accidentally installed suspicious software

Network Connection Issues

  • Your computer is exceptionally slow, unable to connect to network services or simply non-functional.
  • These symptoms may indicate a “denial-of-service” attack (an attack aimed at blocking the use of a resource). However, from time to time, your network is down or exceptionally slow
  • If you can’t connect, try rebooting your computer or asking if colleagues have the same problem. If you can’t find another explanation, then the problem could be a breach attempt and should be reported

Internet or Browser Issues

  • Unusual browser activity, including:

    • The browser closes unexpectedly or stops responding
    • The browser home page has abruptly changed or is taking you to sites you did not want
    • Additional toolbars are added to the browser
    • New web pages are automatically added to the list of favorites
    • You are unable to reset browser settings or preferences
    • Performing a search from a search page yields results on unrelated or unwanted sites or displays website ads
    • Clicking a link goes to an unrelated website or does nothing
    • Pop-up advertising windows appear when the browser is not open or over web pages that do not usually have pop-ups
    • When you start your computer or your computer has been idle for many minutes, your browser opens to display web site advertisements

Mobile Device Issues

  • Your mobile device is causing unauthorized charges to premium SMS numbers
  • Your mobile device suddenly has unexplained, very high data or battery usage

Device Loss

  • Sensitive documents or equipment (laptop, smartphone, printer) that turn up missing from the proper place in the office, your car, home, printer, etc.
  • Theft of any work-issued device

Managing a security compromise

If you believe your computer or device has been hacked, the sooner you report it, the better. Do not try to fix the problem. You could accidentally cause more harm, and you could also destroy valuable evidence that may be useful for an investigation. Instead, report the incident right away by contacting your organization’s help desk or information security team and allowing them to engage in their incident response plan. If help is not immediately available, disconnect your computer or device from the network and then put it in sleep, suspend or airplane mode until you can reach IT.

For more information regarding preventative security, security incident management, or employee training, contact a Global Learning Systems representative today.

GLS Logo

Enjoying our cybersecurity blogs?

Try out our weekly security awareness tips, sent directly
to your inbox.
GLS Logo

Your download is complete!

Need more training?

Verified by MonsterInsights