Your organisation will be hacked, how will you respond, asks IBM

Speaking at Computing's Cyber Security Live conference, Mike Spradbery, senior technical leader, IBM Security UK & Ireland, explains what organisations need to think of when building their incident response plans.

Your organisation will be hacked within the next two years, and how you respond is even more important than containing and managing the risk.

That's the opinion of Mike Spradbery, senior technical leader, IBM Security UK & Ireland, speaking at Computing's Cyber Security Live conference.

"Responding well is so important, as the likelihood is that in next two years your organisation will be the victim of a successful attack. How you respond can have a huge impact on your ability to manage and contain risk," said Spradbery.

Earlier at the conference, John Leonard, research director for Computing's new market intelligence service Delta, presented the latest research around what happens after a breach is discovered.

He also pointed out that organisations can no longer sit on the knowledge of the breach and decide what to do later, with the new 72-hour breach notification deadline imposed by the GDPR. Spradbery said that organisations have three main questions to answer when considering their response.

"You have to know what you're going to do first," said Spradbery. "And the answer depends on your priorities as an organisation. What's the main thing you want to achieve in this crisis? Is it to limit the amount of data that's stolen, limit the financial damage, or perhaps gather evidence on the breach? Unless you know that, it's hard to respond. So, work out what you care about most."

Then he said organisations need to understand what their next three steps will be.

"You need to work out your next moves, where do you go after you've taken that first step."

The final of the initial three questions is working out what the biggest risk to the organisation is.

"Then you need to understand your biggest risk. We worked with the NHS and the biggest risk to them is loss of life. For most other organisations it's just losing a bit of cash."

Spradbery described a cyber attack as a 'boom' moment, an idea he said was stolen from the military.

"We took this from the US military, who were trying to get ahead of improvised explosive devices in Iraq. Previously all their work was done in the aftermath of an explosion, to the right of the 'boom' in the timeline. They decided they wanted activity to the left of that timeline too, to be more intelligent and preventative.

"If you think of a cyber event as a boom moment, then think of the topics, activities and considerations on either side. The boom moment is when we realise something bad has happened, maybe the FBI phones up. Then your share price falls, you have press conferences and remediation.

"Left of the boom is reasonably easy to deal with, it's what we do every day. That means protecting and defending and building bigger walls. Right of boom is different, and doesn't happen often, we hope. The problems are hazy and distant, we don't really know how they look, and we're out of the realms of IT.

"There are lots of issues which make this tricky. We know there's a skills shortage, with a million unfilled cyber roles by 2020. Then there's the growing complexity of attacks, and the regulatory landscape. And there's a glut of tooling, with the averge SOC [Security Operations Centre] using 75 different tools.

"Technology can help but it isn't the answer by itself. Do you have the right people, the expertise you need? Should you recruit, or do you have a third party on retainer? Do you have the right processes?"