Most large organisations now make advance plans to bring in external security consultancies should they suffer data and security breaches, a new survey for Arbor Networks has found.
The Economist Intelligence Unit (EIU) study (registration required) of 360 global senior business executives backed up by interviews with a dozen security executives found that around two thirds of firms had formal incident response plans in place for serious security incidents, with the same number complimenting this with a dedicated in-house response team.
Despite this apparent readiness, 80 percent of larger organisations had made advance arrangements with external experts, mainly in computer forensics, to supplement the initial response by an internal IT team.
This could be a sign that security incidents are now seen as so complex that employing enough inhouse security expertise is seen as impossible, or perhaps it's part of trend to preserve evidence to support possible criminal prosecutions. Other external help is also sought from legal and law enforcement experts.
"It's a very litigious process. If you are looking to be able to prosecute the perpetrators at the end of a breach, you need to be able to preserve the evidence," said one of the executives interviewed for the study.
"In addition, you need to be able to collect the evidence in such a way that you truly know what the breach was and how it occurred."
Increasingly, firms were treating security incidents as crime scenes, a factor that now over-rode the need to get systems working again.
Complaints from those interviewed included a lack of knowledge about the precise threats or "known unknowns" they were facing at any one time. This made many pessimistic about the chances of spotting a successful compromise within 24 hours.
Only a third of executives said their firms shared data on attacks with industry peers but it could be that this depends on the sector involved. Financial services appear to do well on this measure, mostly behind the scenes, but the numerous successful attacks on US retailers in the last year suggest that in this sector firms are more likely to be isolated from one another.
Breach reporting was bit better with 57 percent saying they would notify the authorities of reports they were legally obliged to (not all countries surveyed have notification laws), but 47 percent believed that being forced to make public all breaches would do more harm than good.
The number one disruption to systems, including those with a security theme, remains internal misconfiguration.
"There is an encouraging trend towards formalising corporate incident response preparations. But with the source and impact of threats becoming harder to predict, executives should make sure that incident response becomes an organisational reflex rather than just a plan pulled down off the shelf," said EIU senior editor, James Chambers.