Content, Content

Incident Response Playbooks for Cyberattacks: Got One?

Wendi Whitmore, IBM
Wendi Whitmore, IBM X-Force Threat Intelligence VP

Organizations have slowly improved their ability to plan for, detect and respond to cyberattacks over the past five years, but their capacity to contain an attack has declined by 13 percent over the same period, a new IBM report said.

How effectively organizations respond to a cyber bombardment is hindered by an excess of security tools and a lack of specific playbooks for common and specific attack types, the fifth installment of IBM Security’s 2020 Cyber Resilient Organization Report said. Survey results were gleaned from data supplied by 3,400 security and IT professionals worldwide.

Two top-line findings:

  • 74 percent of organizations still use makeshift response plans that are inconsistently applied or they may have no plans at all to handle incoming threats.
  • Companies that have incident response teams and extensively test their incident response plans spend an average of $1.2 million less on data breaches than those without clear objectives.

Deeper dive findings:

On response plans.

  • More organizations have adopted formal, enterprise-wide security response plans in the past five years, improving to 26 percent currently from 18 percent in 2015.

On playbooks.

  • Among companies with formal security response plans, only 33 percent, or 17 percent of the total respondents, had also developed playbooks for specific attack types. Pre-planning for emerging attack methods such as ransomware lagged even further behind.
  • Of those organizations with attack-specific playbooks, 64 percent are for DDoS attacks and 57 percent for malware infiltrations.
  • 45 percent of companies had designated plans for ransomware attacks despite a 70 percent rise in incidents.
  • 52 percent of those with security response plans said they have never reviewed or have no set time period for reviewing or testing those plans.

On security tools.

  • Organizations using 50+ security tools ranked themselves 8 percent lower in their ability to detect, and 7 percent lower in their ability to respond to an attack than those with fewer tools.
  • Companies use more than 45 different security tools on average, and each incident they responded to required coordination across roughly 19 tools on average.
  • 63 percent said the use of interoperable tools helped them improve their response to cyberattacks.

On planning.

  • In the past two years, 39 percent of companies with formal security response plans applied across their business experienced a disruptive security incident, compared to 62 percent of those with less formal or consistent plans.
  • 61 percent of companies attributed hiring skilled employees as a top reason for becoming more resilient. Among those who said their resiliency did not improve, 41 percent cited the lack of skilled employees as the top reason.
  • Among organizations with higher levels of cyber resilience, the top two factors cited for improving their level of cyber resilience were visibility into applications and data (57 percent) and automation tools (55 percent).

"While more organizations are taking incident response planning seriously, preparing for cyberattacks isn't a one and done activity," said Wendi Whitmore, IBM X-Force Threat Intelligence vice president. "Organizations must also focus on testing, practicing and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help overcome complexity challenges and speed the time it takes to contain an incident."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.