The information security industry is full of jargon, but luckily most terms only crop up when you’re dealing with specific, technical topics.
However, there’s one phrase that organisations use often without clarifying: ‘cyber security incident’.
You might assume this is simply a euphemism for when organisations don’t want to say ‘we’ve suffered a data breach’.
That’s sort of true, but as we explain in this blog, it can be a little more complex than that.
‘Incidents’ are rarely good news
A cyber security incident almost always refers to something bad happening, but it doesn’t always mean that it’s a data breach.
Rather, it’s a general term used to refer to the fact that systems or records have been threatened.
For example, an organisation that successfully repels a cyber attack has experienced an incident but not a breach.
Likewise, say an organisation loses a hard drive containing encrypted data. This is technically a data breach, because the file is no longer available, but it’s not a breach in the way most people would understand the word, because the information’s confidentiality remains intact.
It would therefore be appropriate to consider it a security incident.
Free download: Cyber Security 101 – A guide for SMEs
Across the globe, million of small business are being targeted by cyber attacks each year.
Find out how you can keep your organisation safe by downloading Cyber Security 101 – A guide for SMEs.
This free guide explains what you need to know when developing defences and breaks down six common myths that you may have heard.
It also contains guidance on specific measures you can implement to create an effective and affordable security set-up.
Doesn’t that make the term ambiguous?
Although the term ‘cyber security incident’ may draw criticism for its ambiguity, the vagueness is deliberate – and often helpful.
Unless the event being referred to was a routine breach (such as a hacker infiltrating a system or an employee exposing the information online), organisations are entitled to explain what happened and how it differentiates from more common scenarios.
The problem is that many organisations use the phrase even when it is a straightforward data breach, or when they simply don’t know what happened.
Fortunately, organisations are unlikely to fool regulators or more clued-up members of the public with such doublespeak. Any ambiguity will be pounced on and people will suspect that by ‘incident’ the organisation means ‘breach’.
So, if you’re ever unsure what someone means by ‘security incident’, you should consider the context that it’s being used in.
The organisation’s disclosure announcement may explain that no information has been compromised, or that it’s not yet sure of the extent of the damage, in which case it truly is a ‘security incident’.
But if no clarifying details are given, you can probably assume that sensitive records have been compromised.
Cyber security incidents and regulatory consequences
Differentiating between incidents and breaches isn’t just a matter of frustrating potential victims and other interested parties. There are regulatory consequences too.
For example, the GDPR (General Data Protection Regulation) requires organisations to act transparently with all security matters, so if an investigator suspects you tried to downplay the severity of a data breach, that could be held against you.
If you’re worried that you’re unable to determine whether you’ve suffered a breach or not, you should implement a CIR (cyber incident response) management system.
This will help you identify and address threats promptly, ensuring that you know how and when the problem started and what needs to be done to reduce the damage.
But incident response plans do more than just help organisations react to security incidents; they also help prevent similar mistakes from happening again.
The system ensures that you log security events and your responses, giving you a wealth of information about your security threats that can inform your continual improvement process.
Many organisations don’t have the wherewithal to create and manage incident response. This is where IT Governance can help.
With our Cyber Incident Response Management consultancy service, we can take the reins in the event of security incident.
Our data protection experts will detect and contain threats using a best-practice incident response programme.
Combining technological solutions with processes and procedures, we ensure that when faced with cyber threats, you face minimal delays and that your reputation stays intact.
A version of this blog was originally published on 10 October 2019.