Recently we had one of our regular reviews of security incidents that have affected the company in the past few months. All three – one social engineering attack, one technical one, and one equipment loss – were minor, in that only limited information or systems were put at risk; all were detected and fixed, to the best of our knowledge, before anything was accessed that shouldn’t have been. If we had only been looking at data breaches they probably wouldn’t even have made it to the agenda.
But our definition of incidents includes events that might put information security at risk, so we were able to have a useful discussion of our processes for detecting incidents, for dealing with reports, for prevention and for mitigation. We learned, or had reinforced, something at each stage:
- Incidents can be detected by a wide variety of people (the owner, an external CERT and an alert signing officer) so awareness and processes need to ensure that everyone knows how and when to identify and report the signs of one;
- Holidays and periods of organisational change are challenging for receiving and handling incident reports so information needs to be kept up to date and information flows resilient;
- Layered precautions are good – people supported by policies supported by technologies – so that even if an incident manages to evade one layer there’s a reasonable chance it will be detected by another.
So even non-breaches generated plenty of ideas that we can use to make our systems more robust, increasing the likelihood that the next incident will be no more than a near-miss too.
The great thing about near-misses is that there is much less blame hanging around. In each of our incidents, enough did work that the consequences of the things that didn’t were minimal. That encourages discussions that are positive and focussed on processes and systems: it’s much easier to have an open discussion of why things went wrong if this time it didn’t matter but next time it might. And, as a former incident responder myself, it was a very pleasant change to be able to thank a colleague for being one reason that a breach didn’t happen.