The information security industry is full of jargon, but luckily most terms only crop up when you’re dealing with specific, technical topics. However, there’s one common but surprisingly complex phrase that often appears without further explanation: ‘cyber security incident’.
You might assume it’s simply a euphemism for organisations that don’t want to say ‘we’ve suffered a data breach’. That’s kind of true, but it’s also a lot more nuanced than that.
‘Incidents’ are rarely good news
A cyber security incident almost always refers to something bad happening, but it doesn’t necessarily mean that a breach has occurred. Rather, it’s a general term used to refer to the fact that systems or records have been threatened.
For example, an organisation that successfully repels a cyber attack has experienced an incident but not a breach.
Likewise, although an organisation that loses a hard drive containing encrypted data has technically suffered a data breach (the file is no longer available), it’s not a breach in the way most people would understand the word, because the information’s confidentiality remains intact.
It would therefore be appropriate to consider it a security incident.
Doesn’t that make the term ambiguous?
It’s certainly true that ‘cyber security incident’ can be confusing if an organisation uses the term without any more details. In such cases, the organisation is probably exploiting the term’s ambiguity to avoid saying ‘we were breached’ or ‘we don’t know what happened’.
However, if the organisation goes on to clearly explain that no information has been compromised, or that it’s not yet sure of the extent of the damage, then the term is being used acceptably.
Fortunately, organisations are unlikely to fool regulators or more clued-up members of the public with such doublespeak. Any ambiguity will be pounced on and people will suspect that by ‘incident’ the organisation means ‘breach’.
Get involved in #CyberSecMonth 2019
Similarly, with regulations such as the GDPR (General Data Protection Regulation) forcing organisations to be more transparent when it comes to data breaches, the public has come to accept that incidents are common and can occur for any number of reasons besides lax security.
Organisations therefore shouldn’t fear the prospect of announcing a data breach as opposed to a security incident. As with most things, it’s best to be clear and honest from the outset. If you’ve been breached, say that. If you’re not aware of data being compromised, call it an incident and explain what happened.
Cyber incident response management
The most effective way to make sure you have all the details needed to determine whether you’ve suffered a data breach or a security incident is to implement a CIR (cyber incident response) management system.
This will help you identify and address threats promptly, ensuring that you know how and when the problem started and what needs to be done to reduce the damage.
But incident response plans do more than just help organisations react to security incidents; they also help prevent similar mistakes from happening again.
The system ensures that you log security events and your responses, giving you a wealth of information about your security threats that can inform your continual improvement process.
Take control of your cyber health
CIR management is part of an overall set of best practices that organisations should be following, in which simple, routine measures are established to minimise security risks.
This falls under the wider umbrella of ‘cyber health’. The term is apt, because just like your physical wellbeing, there are basic health and hygiene rules that you must follow to remain productive and respectable. Some will become second nature and others you need to continue to work at and invest in.