Browse Definitions :

security incident

What is a security incident?

A security incident is an event that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed.

In IT, an event is anything that has significance for system hardware or software and an incident is an event that disrupts normal operations. Security events are usually distinguished by the degree of severity and the associated potential risk to the organization.

If a single user is denied access to a requested service, for example, that can be considered a security event because this may indicate a compromised system, but the access failure could also be caused by many other things. The common theme for most security events, no matter what caused them, is that they do not typically have a severe impact on the organization. However, if large numbers of users are denied access, it likely indicates a more serious problem, such as a distributed denial-of-service (DDoS) attack, so that event may be classified as a security incident because of its disruptive impact on operations.

What's the difference between a security incident and security breach?

There is often confusion about the meaning of a security incident versus a security breach. A security incident covers a wide variety of security violations -- from systems, network and data access violations to malware, DDoS attacks or even the theft of physical computer equipment and devices with sensitive data.

On the other hand, a security breach pertains to data breaches only -- not network or system access violations, or malware invasions where data is not involved. In this respect, the security breach is actually a subcategory of a security incident that specifically relates to unauthorized access or theft of data only. This data breach could involve the alteration and/or outright theft of sensitive company data such as intellectual property or customer lists. It may also involve the unauthorized access, alteration and/or theft of the personally identifiable information of customers, clients, patients or others that violates these individuals' privacy rights.

Examples of security incidents include the following:

  • attempts from unauthorized sources to access systems or data;
  • unplanned disruption to a service or denial of service;
  • unauthorized processing or storage of data;
  • unauthorized changes to system hardware, firmware or software;
  • insider breaches of networks, systems or information instigated by employees or contractors, including malicious attacks on systems and networks;
  • a malware infection such as ransomware or a virus that compromises networks, systems or workstations or performs unauthorized actions;
  • an outside cyber attack that is intended to disrupt, disable, destroy or maliciously control an organization's entire computing environment or infrastructure;
  • an attack designed to destroy or steal data; and
  • loss or theft of computer equipment.

Examples of security breaches include the following:

  • unauthorized access to privileged and personal data;
  • stealing a computer device that contains sensitive or personally identifiable information;
  • stealing physical documents that contain sensitive or personal data;
  • data penetration that results in data corruption or destruction;
  • a ransomware attack that steals data and then demands a ransom for its return;
  • access to company customer data through a third-party data broker without company or customer consent.

How to respond to a security incident

Because security breaches are actually a subset of security incidents, the tools and techniques used to address them are similar. In all cases, the goal is to subdue or resolve the incident as quickly as possible.

8 items to include in a security incident checklist
Security incident response checklist

The following are some common tools and techniques organizations can use to respond to security incidents:

  • Gather the team. Coordinate the team of security experts who will assess the severity of the incident, communicate with management and perform mitigation.
  • Identify, evaluate and contain the incident. Identify what has been compromised, and if a particular network is infected but other networks are not, immediately isolate the affected network to prevent the infection from spreading. At the same time, preserve all data in the infected network for later analysis.
  • Recover and restore. If systems or networks are so severely affected they cannot be operated confidently, perform a full disaster recovery and failover.
  • Notify those affected by the breach. If customer, client or patient data was compromised during the incident, notify persons affected of the breach and offer to pay for the mitigation services they may require.
  • Resolve internal issues. If a malicious act was perpetrated by a company employee, notify human resources so appropriate actions can be taken.
  • Get the word out. Coordinate with corporate marketing and public relations for any messaging that needs to be made to the press or to the public.
  • Perform a security incident post-mortem. Once the security incident is resolved, review what happened, how it happened and how steps can be taken to avoid similar incidents in the future. Revise policies and practices to reflect any changes.
  • Evaluate your team's performance. How long did it take to detect the incident? How long did it take to resolve it? Is there anything you could have done better?

How to prevent a security incident

Common methods and tools used to prevent security incidents include the following:

  • Regularly train employees to ensure they are familiar with corporate security standards and practices.
  • Using internal and outside IT auditors, regularly review IT security policies and practices to ensure they are current, including penetration and vulnerability testing of networks and systems.
  • Ensure that security patches to hardware and software are promptly implemented.
  • Monitor physical facilities, including secured access to data centers and to closets, file cabinets and other storage areas that may contain sensitive hardcopy documents.
  • Monitor and log user and data activity at networks, system workstations and IoT devices. Use automated real-time alerts to detect potential security violations.
  • Vet vendors for conformance to corporate security and governance standards.
  • Form agreements with business partners that restrict sharing of confidential information with third parties without your company's express permission.
  • Encrypt laptops and mobile devices and lock down any equipment that is lost or has been stolen in the field.

Processes and tools designed to help with security incident management

Commercially available tools can help manage security incidents:

  • Endpoint detection and response software can detect security incidents at the periphery of the enterprise, which is helpful for securing IoT environments.
  • Security information and monitoring tools include security and security incident response measures.
  • Incident response planning templates assist in developing and mapping an enterprise-wide security incident response plan.
  • Security training software helps employees learn the basics of effective security practices. But it does not replace the in-house security training that should be part of every new employee orientation and annual security refresher courses for current employees.

Learn how organizations can make educating their employees on cybersecurity risks more interesting.

This was last updated in May 2021

Continue Reading About security incident

  • voice over LTE (VoLTE)

    Voice over LTE (VoLTE) is a digital packet technology that uses 4G LTE networks to route voice traffic and transmit data.

  • ONOS (Open Network Operating System)

    Open Network Operating System (ONOS) is an OS designed to help network service providers build carrier-grade software-defined ...

  • telematics

    Telematics is a term that combines the words telecommunications and informatics to describe the use of communications and IT to ...

  • three-factor authentication (3FA)

    Three-factor authentication (3FA) is the use of identity-confirming credentials from three separate categories of authentication ...

  • cyber espionage

    Cyber espionage (cyberespionage) is a type of cyber attack that malicious hackers carry out against a business or government ...

  • role-based access control (RBAC)

    Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an ...

  • project charter

    A project charter is a formal short document that states a project exists and provides project managers with written authority to...

  • leadership

    Leadership is the ability of an individual or a group of people to influence and guide followers or members of an organization, ...

  • transaction

    In computing, a transaction is a set of related tasks treated as a single action.

  • employee engagement

    Employee engagement is the emotional and professional connection an employee feels toward their organization, colleagues and work.

  • talent pool

    A talent pool is a database of job candidates who have the potential to meet an organization's immediate and long-term needs.

  • diversity, equity and inclusion (DEI)

    Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...

Customer Experience
  • sales development representative (SDR)

    A sales development representative (SDR) is an individual who focuses on prospecting, moving and qualifying leads through the ...

  • service level indicator

    A service level indicator (SLI) is a metric that indicates what measure of performance a customer is receiving at a given time.

  • customer data platform (CDP)

    A customer data platform (CDP) is a type of software application that provides a unified platform of customer information that ...