While the realization of a cybersecurity incident of course brings primary impacts, it doesn’t stop there. There are often secondary follow-on activities and impacts that go on well beyond the initial security incident. Part of our ongoing series on incident response (IR), this analysis will explore the differences between primary and secondary impacts, as well as how to respond to them so that you and your business can successfully move forward from a cybersecurity incident.
Primary impacts are the immediate fall-out from a security incident. They include damage due to the initial intrusion and associated lateral movement. Primary impacts can be harmed systems, compromised data, or a ransom to pay.
Primary impacts may also include loss of revenue. If systems have been made unavailable or degraded, this could have an impact on your business, potentially throwing off your e-commerce services or the digital systems that power your business operations and activities
Finally, there are also impacts on the staff. For example, a malicious insider will need to be removed from the organization. Their access will need to be revoked, and the organization will need logging and other mechanisms to understand the reach and impact of their malicious actions.
The incident is far from over just because you’ve triaged the malicious actor and restored your systems and services to a normal functioning state. There are several activities that occur well beyond this initial primary impact. These include litigation, documentation, interfacing with auditors, and utilizing knowledge to improve your organization’s incident response process and capabilities.
On the litigation front, organizations must be poised with legal expertise to weather the potential litigation activities they may find themselves in after a security incident. Depending on the industry, the organization’s size, and the incident’s visibility, there may be regulatory actions, which will require in-house or augmented compliance expertise to work with external auditors and regulators to answer any associated inquiries.
As in primary impacts, there may be staffing impacts in the secondary sense as well. Regulatory and social pressure may lead to leadership changes. There is also the harsh reality that incidents and their associated response activities can be incredibly demanding, demoralizing, and draining to the staff involved, and can lead to staff turnover if not managed properly. Proper management requires ensuring that schedules are implemented to prevent burnout, that staff are given time to breathe after intense periods of work and that blame isn’t cast where it isn’t warranted, to ensure morale isn’t compromised.
As they say, the best time to plant a tree is 20 years ago, and the second best time is now. Clever sayings aside, the reality is that an organization’s ability to withstand the primary and secondary impacts of a cybersecurity incident is directly tied to how much it has prepared to do so. This involves proper incident response planning (IRP), tabletop exercises, game days, and even lessons learned from previous incidents.
Still, you may find yourself in a security incident for which you haven’t sufficiently prepared. The best way to deal with this is to note the deficiencies, capture them, and put measures in place to ensure that they don’t happen again or that the impact is mitigated in the future.