In a recent post, we discussed the challenges associated with attesting to the Payment Card Industry’s Data Security Standard (PCI DSS) compliance, including frequent oversights we encounter while conducting security due diligences and gap analyses for our clients. See “Common Misconceptions around the Payment Card Industry Data Security Standard (PCI DSS)” from our recent series of blogs on PCI DSS-related topics for more information. This post will address the importance of cybersecurity incident response planning for both overall security and PCI DSS compliance purposes, and provide an overview of the key components that comprise a strong and effective cybersecurity incident response plan.
As the world becomes increasingly interconnected through technology, companies face an increasing volume of cyberattacks from various attack vectors and sources. There is a high likelihood that every company will be compromised at least once during its lifetime. Accordingly, it is absolutely crucial that companies maintain a comprehensive cybersecurity incident response plan that is well-tested and practiced, in order to respond to potential intrusions effectively, quickly, and in a manner that limits potentially adverse impacts.
Why do we need incident response if we already have preventative measures?
Given significant data breaches at leading companies and institutions (likely with well-funded cybersecurity budgets!), it is clear that preventative measures are not enough. While prevention is incredibly important, it is impossible to keep up with the ever-evolving threat landscape. This is evident in the alarming number of zero-day attacks being found in business critical and popular consumer applications. Intruders are getting better at disguising their activity within internal networks, often working under the cover of a trusted user performing regular business tasks. When companies manage complex technical environments and are executing countless customer transactions and meeting the needs of multiple workforces, preventing malicious cyber activity becomes increasingly more difficult. Additionally, no amount of prevention can completely account for the human component and social engineering. Accidental and malicious actions of employees can subvert most existing preventative security controls.
Once preventative measures have failed, strong cybersecurity incident response plans can be the difference between a minor incident and an incredibly damaging breach. A well-tested and well-practiced cybersecurity response plan with clear priority and impact classifications, reporting channels, response procedures, communication trees, escalation points, and integrations with stakeholder groups across the organization can streamline response efforts to minimize adverse impacts by rapidly detecting and isolating the incident. If an incident were to occur without a cybersecurity response plan in place, it may lead to a chaotic free-for-all that leaves the attacker unobstructed to do as they please throughout a company’s network for an extended period of time. A well planned response plan can save a company significant expenses, as well as protect their reputation.
Is an incident response plan required by the PCI DSS?
Yes. Companies that must meet PCI DSS requirements because they store, process, or transmit payment card data need a robust cybersecurity incident response plan in order to be fully compliant. Companies must adhere to specific criteria within their response plans, including the following key elements:
- Define and assign specific roles and responsibilities for executing the plan, including having an individual available 24/7 to respond to alerts;
- Develop communication strategies and processes for notifying payment card brands about breaches;
- Align with all legal requirements and response standards imposed by individual payment card brands;
- Create incident response checklists and specific response procedures for different types of incidents and implicated systems;
- Incorporate tie-ins with business continuity, disaster recovery, and backup processes and procedures;
- Produce processes for conducting damage analyses of critical system components;
- Establish clear channels for accepting security alerts from security monitoring tools and other sources (e.g., users, third parties, news feeds, etc.);
- Provide response training activities across all relevant personnel on a yearly basis;
- Conduct annual exercises to test the response plan in its entirety; and
- Implement continuous improvement processes to refine the plan on an ongoing basis.
What do companies need to watch out for?
The most critical oversight that we see in companies concerning cybersecurity incident response planning (and for other things security related) is that they do so with compliance at the forefront of their mind. As a result of this ‘check the box’ mentality, their plan fails in its most essential aims:
- To prepare the organization for a data breach; and
- Provide a repeatable, actionable framework for responding to incidents rapidly and quickly.
These objectives simply cannot be accomplished with compliance as the key driver. Good incident response plans require committed testing, training, communication, and continuous improvement initiatives in order to inundate the organization with the practices they need to respond to a breach effectively. Sufficient time, resources, and dedication are needed to fully institute response concepts across an organization. Plans without those fundamentals will fail in an actual breach scenario, potentially resulting in more damages to a company, including serious fines and legal fees. Instead of developing plans to meet compliance requirements, companies need to focus on developing and maintaining solid cybersecurity incident response plans that truly prepare and guide their people. Compliance is the cherry on top.