What is a security incident?
A security incident is an event that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed.
In IT, an event is anything that has significance for system hardware or software and an incident is an event that disrupts normal operations. Security events are usually distinguished by the degree of severity and the associated potential risk to the organization.
If a single user is denied access to a requested service, for example, that can be considered a security event because this may indicate a compromised system, but the access failure could also be caused by many other things. The common theme for most security events, no matter what caused them, is that they do not typically have a severe impact on the organization. However, if large numbers of users are denied access, it likely indicates a more serious problem, such as a distributed denial-of-service (DDoS) attack, so that event may be classified as a security incident because of its disruptive impact on operations.
What's the difference between a security incident and security breach?
There is often confusion about the meaning of a security incident versus a security breach. A security incident covers a wide variety of security violations -- from systems, network and data access violations to malware, DDoS attacks or even the theft of physical computer equipment and devices with sensitive data.
On the other hand, a security breach pertains to data breaches only -- not network or system access violations, or malware invasions where data is not involved. In this respect, the security breach is actually a subcategory of a security incident that specifically relates to unauthorized access or theft of data only. This data breach could involve the alteration and/or outright theft of sensitive company data such as intellectual property or customer lists. It may also involve the unauthorized access, alteration and/or theft of the personally identifiable information of customers, clients, patients or others that violates these individuals' privacy rights.
Examples of security incidents include the following:
- attempts from unauthorized sources to access systems or data;
- unplanned disruption to a service or denial of service;
- unauthorized processing or storage of data;
- unauthorized changes to system hardware, firmware or software;
- insider breaches of networks, systems or information instigated by employees or contractors, including malicious attacks on systems and networks;
- a malware infection such as ransomware or a virus that compromises networks, systems or workstations or performs unauthorized actions;
- an outside cyber attack that is intended to disrupt, disable, destroy or maliciously control an organization's entire computing environment or infrastructure;
- an attack designed to destroy or steal data; and
- loss or theft of computer equipment.
Examples of security breaches include the following:
- unauthorized access to privileged and personal data;
- stealing a computer device that contains sensitive or personally identifiable information;
- stealing physical documents that contain sensitive or personal data;
- data penetration that results in data corruption or destruction;
- a ransomware attack that steals data and then demands a ransom for its return;
- access to company customer data through a third-party data broker without company or customer consent.
How to respond to a security incident
Because security breaches are actually a subset of security incidents, the tools and techniques used to address them are similar. In all cases, the goal is to subdue or resolve the incident as quickly as possible.
The following are some common tools and techniques organizations can use to respond to security incidents:
- Gather the team. Coordinate the team of security experts who will assess the severity of the incident, communicate with management and perform mitigation.
- Identify, evaluate and contain the incident. Identify what has been compromised, and if a particular network is infected but other networks are not, immediately isolate the affected network to prevent the infection from spreading. At the same time, preserve all data in the infected network for later analysis.
- Recover and restore. If systems or networks are so severely affected they cannot be operated confidently, perform a full disaster recovery and failover.
- Notify those affected by the breach. If customer, client or patient data was compromised during the incident, notify persons affected of the breach and offer to pay for the mitigation services they may require.
- Resolve internal issues. If a malicious act was perpetrated by a company employee, notify human resources so appropriate actions can be taken.
- Get the word out. Coordinate with corporate marketing and public relations for any messaging that needs to be made to the press or to the public.
- Perform a security incident post-mortem. Once the security incident is resolved, review what happened, how it happened and how steps can be taken to avoid similar incidents in the future. Revise policies and practices to reflect any changes.
- Evaluate your team's performance. How long did it take to detect the incident? How long did it take to resolve it? Is there anything you could have done better?
How to prevent a security incident
Common methods and tools used to prevent security incidents include the following:
- Regularly train employees to ensure they are familiar with corporate security standards and practices.
- Using internal and outside IT auditors, regularly review IT security policies and practices to ensure they are current, including penetration and vulnerability testing of networks and systems.
- Ensure that security patches to hardware and software are promptly implemented.
- Monitor physical facilities, including secured access to data centers and to closets, file cabinets and other storage areas that may contain sensitive hardcopy documents.
- Monitor and log user and data activity at networks, system workstations and IoT devices. Use automated real-time alerts to detect potential security violations.
- Vet vendors for conformance to corporate security and governance standards.
- Form agreements with business partners that restrict sharing of confidential information with third parties without your company's express permission.
- Encrypt laptops and mobile devices and lock down any equipment that is lost or has been stolen in the field.
Processes and tools designed to help with security incident management
Commercially available tools can help manage security incidents:
- Endpoint detection and response software can detect security incidents at the periphery of the enterprise, which is helpful for securing IoT environments.
- Security information and monitoring tools include security and security incident response measures.
- Incident response planning templates assist in developing and mapping an enterprise-wide security incident response plan.
- Security training software helps employees learn the basics of effective security practices. But it does not replace the in-house security training that should be part of every new employee orientation and annual security refresher courses for current employees.
Learn how organizations can make educating their employees on cybersecurity risks more interesting.