Why is it even more important to have an IR plan than a DR plan?

Virtually every organization has a DR (disaster recovery) plan in place as they should. However, most organizations don’t have a detailed IR (incident response) plan in place for when their IT systems are impacted by malicious behavior from either external or internal causes.

Why is it potentially more important to have an IR plan in place vs. a DR plan? The answer is simple, statistics. According to several creditable sources, the percentage of companies in the United States who experienced an IT incident in 2009 related to a directed malicious attack from either an external source (malware, etc.) or internal source (privileged user, disgruntled employee) was 49% compared to less than 10% of organizations who actually activated and used their DR plan.

Over the last few years we, at PathMaker Group, have seen the number of incidents, and the impact from those incidents, dramatically increase in number and impact (both downtime and financial). Suprisingly, most organizations still don’t have a defined Incident Response team and procedures to address these issues in a timely fashion to reduce downtime and financial impact.

Additionally, with the increasing number of Regulations requiring organizations to notify their customers when and if their Personally Identifiable Information (PII) has been breached or even exposed for a brief amount of time, the financial impact can be significant. Just sending out notification to 50,000 users that their SSN’s were exposed on a public website for approximately one hour cost a HealthCare company over $500,000 in actual costs.

That is why is it vitally important to put together an IR team that includes independent 3rd party experts to help minimize the impact of any breach.

Unlike a DR plan, an IR plan needs to include independent personnel from outside the organization due to the potential litigation that may result. Should a breach occur from either an external malware or phishing attack or internal from a privileged or disgruntled employee, you need to first be able to understand scope and then contain the breach.

So, the first calls when an IT organization realizes they are in the middle of an attack or becomes aware of a significant IT breach should be to the CEO, GC (general counsel) and an independent 3rd party Incident Response company such as PathMaker Group.

The main reasons for contracting with an independent 3rd party is for both later potential litigation and specilized expertise needed to anlayze and understand what is occurring. An organization needs to “collect data in a forensically sound and accepted fashion” using industry recognized tools and then preserve and store this evidence via a documented “chain of custody” by certified Forensic specialists. The organization should have personnel that are also licensed Private Investigators in that State and have experience testifying in a court of law. An added bonus will be if they have worked with the Secret Service and FBI for ACH and other financial fraud transaction cases.

Many organizations make the HUGE mistake of attempting to use “Joe, the IT guy”, to collect the critical data and in so doing either corrupt the data or otherwise open themselves to questions by the opposing counsel as to the validity of the data by the lack of qualifications of the internal IT staff and therefore lose the case.

In conclusion, it is imperative that any company that has a DR plan in place to also create and implement an IR plan as well. By including an organization that specializes in IT breaches, it ensures that they will be able to minimize the impact, collect and preserve the data to analyze and determine the origin of the breach and then have a much higher probability of successfully recovering funds and/or data and prosecuting the appropriate parties.