Incident response plans need more teeth

Uncertainty over the effectiveness of incident response plans is a top worry forUncertainty over the effectiveness of their incident response plan in case of a security breach is giving senior business executives and their IT counterparts in Hong Kong sleepless nights.

“It is about whether you got hacked or compromised. Are you reacting appropriately according to the severity of the threats? That is really something that I worry about every day,” said Daniel Cheung, executive director of Daiwa Capital Markets, during the panel discussion at the recent Cisco Security Connect 2017 held in Hong Kong.

Matrix Chau, associate director, IT Advisory (Risk Consulting) at KPMG, echoed the same sentiment.

“What keeps us awake as gatekeepers is when you are anxious about something. You are not confident about the protective measures you have in place. And one of the reasons you are awake at night is that you probably lack a well-prepared incident response [plan],” he said.

Incident response plans (IRPs) give guidelines on how to handle potential scenarios, such as data breaches, denial of service attacks, malware outbreaks and insider threats.

Without an IRP, enterprises may not be able to detect an attack in the first place, and would not have the proper protocol to contain the threat and recover from it when a breach is detected.

A typical IRP involves several phases including preparation, identification, containment, eradication, recovery and lessons learned. It can help enterprises by outlining how to minimize the duration of and damage from a security incident, streamlining forensic analysis, hastening recovery time and reducing negative publicity.

Tommy Fung, head of Country Technology Management, Standard Chartered Bank (Hong Kong), stressed that company policies should bear cybersecurity in mind.

“Your internal company policy should have proper risk control measures that are cybersecurity related. Roles and responsibilities should be well-defined within the organization, so that people can react very fast in case of incidents,” Fung said.

He expressed the widespread frustration among security professionals about the unpredictable nature of cyberattacks.

“No matter the protection you have put in place, you can never be sure you are completely safe. For advanced security matters, they can come in different forms and come from different channels. You always have no control,” Fung said.

Lack of visibility across threat vectors

Many corporate IT executives have pointed out that the inability to completely control cybersecurity in the organization stems from the rapidly expanding threat footprint. Specifically, the use of technologies such as cloud and mobile apps are breaking down the enterprise’s traditional perimeters. Couple this with the variety of endpoints now connecting to the enterprise – such as IoT devices – and cybersecurity professionals have their hands full.

Simply put, the lack of visibility across threat vectors hampers companies from eliminating potential risks from their organization.

“You cannot protect what you cannot see,” said Lawrence Fong, general manager, information technology solutions, Cathay Pacific Airways.

In 2017, he sees the increasing popularity of mobile payments in Hong Kong as a major security threat.

“People are now using Apple Pay in supermarkets and in 7-Eleven convenience stores, as regulators relax the rules around peer-to-peer payment. As consumers are getting more used to mobile payment, hackers have the opportunity to take advantage of it,” Fong said.

He also noted that other IT trends, particularly the move towards next-generation data centers, have an impact on how enterprises approach cybersecurity.

“We are talking about software-defined networks, which means we are building a new layer above the appliance and hardware level. We are changing the architecture and design of the IT infrastructure, and so the old way of managing security may no longer work. Instead of the typical point-to-point solutions, security is now being centralized in this software layer,” Fong said.