Incident Response

All in the drill

Recent Articles

Cloud Computing Effects of Data Loss Warning Signs Staff Vetting Information Theft Legal Developments Incident Response Preventing Data Leakage Social Networking Trusted Third Parties

Why do so many organizations get caught out by unexpected security incidents? According to Greg Bell, it's down to poor planning and communication

Most of us are familiar with fire drills. We gather outside the building, get our names ticked off and return to work, knowing that all will be calm and straightforward should a real blaze occur. Yet, all too often, such ordered routine is nowhere to be seen when an organization's data is attacked or compromised. There are a number of common flaws:

"I didn't know that there had been an incident”

Employees are often unsure about what constitutes a "security incident” so may not bother to report it. Even if they are concerned, they may assume it's someone else's responsibility.

"Who am I supposed to report to?”

With no clear guidelines, an incident may well be reported to one of many help desks or a line manager, or possibly even to a security guard. Confused reporting lines may mean an incident isn't resolved at all.

"I doubt anyone would do anything about it anyway”

Employees are often discouraged when they're not kept in the loop regarding the progress of an incident they've reported. So, if someone does choose to report something and no feedback or updates are given, the individual may assume that the incident wasn't especially important in the first place.

"But I told the person at the help desk”

Larger organizations, in particular, have a multitude of help desks, and they often operate autonomously. If you report an incident to the wrong desk, it may well end up being logged but not dealt with correctly. Even if it is sorted out, flaws in management reporting mean that the organization has no idea of how many incidents are taking place, and therefore no overall picture of where its weaknesses may lie.

"It took us by surprise”

Without a formal structure and process for managing incidents, people often panic and make poor decisions. They may shut down systems unnecessarily, destroy legal evidence, or fail to back up data.

"Who's in charge?”

In the absence of a senior, centralized security team, a potentially dangerous incident may not receive high priority. That makes it tough to mobilize appropriate support from public relations, HR, IT, Legal and other specialists. With no one taking overall responsibility, you could end up with an uncoordinated, piecemeal response. An effective incident management program, on the other hand, is run by senior individuals with the clout to obtain the necessary resources. They'll be experienced enough to judge whether an incident is serious and respond accordingly.

What makes an effective program?

Everyone in the organization will understand the importance of security, and incident reporting will be quick and simple. Rules and procedures relating to incident management - from reporting to resolution - are clearly communicated to all relevant stakeholders. And the response team will have carried out practice runs, so they'll know what to expect should the worst happen.

Hopefully, you'll never face a major incident. But if you do, it's better to be repeating a well-rehearsed drill than fighting an out-of-control inferno.

By Greg Bell, KPMG in the U.S. (rgregbell@kpmg.com)

© 2010 KPMG International Cooperative ("KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.