Skip to content

What is Security Incident Management?

What is Security Incident Management?

Despite your best efforts, cybersecurity incidents can and probably will happen. Whether large or small, you will probably experience these things from time to time. Cyber-attacks and cyber-theft have become so common these days that it is virtually impossible to avoid them entirely. That being said, these incidents don’t have to be crippling problems. Through the use of a good security incident management plan, you can greatly reduce the damage on all fronts. Let’s talk a little bit more about security incident management and how it works.

What Is Security Incident Management?

This is simply a term that denotes the process of responding to a cybersecurity incident. If you do not make a plan in advance, no one will know how to respond when a problem occurs. People will basically be running around like headless chickens, trying to figure out what to do.

Obviously, this confusion represents a tactical advantage for any attacker, so that is not acceptable. Sometimes, security incident management is available as a service from tech companies, but it is more commonly bundled with other cybersecurity plans.

An Example Of Good Security Incident Management

Let’s take a look at an instance in which an organization handled a security incident properly. In 2019, children’s apparel company Hanna Andersson was targeted by a web skimming attack. This allowed malicious hackers to gain the credit card information of many customers, and that information was then sold on the dark web. When law enforcement notified the people at Hanna Andersson, they immediately sent out mass emails to inform their customers.

Although they were not able to prevent this data breach, this company did do the right thing and offer full disclosure, both to those affected and to the public. The company was not able to fully ascertain who had been compromised and who had not, but they were completely open and honest about the whole problem. Although they could probably have done a little more to prevent this attack, their honesty is a good example of how you should handle a security incident.

An Example Of Bad Security Incident Management

Last year, social media giant Facebook suffered a massive data breach, compromising the personal information of about 533 million people. In a typical display of arrogance, the company pretty much refused to give people any concrete information about the incident. However, someone from their company accidentally sent an internal company email to a Belgian news network.

This email shows a callous disregard for the privacy of its users and a complete lack of sympathy for those affected. They talked about the need to downplay the incident and convince people that these occurrences were normal. So, instead of being honest with people and trying to fix the problem, they effectively said “it’s normal, don’t worry about your data.” This is a perfect example of how you should not handle a cybersecurity incident.

The Six Steps Of Security Incident Management

Obviously, this is a large and complex subject, so it’s difficult to tell you everything you need to know in one article. That being said, there is a simple framework that you can use to coordinate your incident response efforts and make them more effective. It’s a six-step process that goes like this:

  1. Preparation

The first thing you can do is prepare everyone in your organization to respond appropriately in the event of a breach. A plan doesn’t do much good if you haven’t made everyone aware of its key elements. As we said earlier, you want to avoid a situation in which confusion hinders response time. So, preparation comes down to two main things:

  • 1. Making sure that everyone knows what to do in the event of a breach
  • 2. Conducting drills to make sure that everyone paid attention!
  1. Identification

This is the part where your response team will attempt to determine if the attack is genuine. False alarms of this kind happen quite frequently, so you want to start the response process by ruling that out (if possible). In the process of evaluating the incidents’ legitimacy, they should also be able to determine what sort of attack has occurred.

  1. Containment

Sometimes, when an attack has occurred, there is a temptation to delete everything and start over. While this can be effective, there is one problem: You will end up deleting all the evidence! So, if possible, you should try to contain the threat rather than just deleting all the affected data. The most common method is to disconnect all compromised systems and devices from the internet and monitor the rest. You might also want to make use of virtual systems (aka “sandboxing“), as they are a great way to separate one part of a network from the rest.

  1. Eradication

Having identified the threat and the way in which it penetrated your defenses, the next step is to eradicate the problem. This might include the deletion of malware, the application of patches and updates, and whatever other measures might be deemed necessary.

  1. Recovery

Once your response team is confident that the problem has been handled, it is time to work on damage control. At this point, the team will take a look at all the damage that has been done, especially when it comes to potentially stolen data. In many cases, damaged or corrupted data can be restored from a backup, but only if you set up that process in phase one.

  1. Lessons Learned

This phase is pretty self-explanatory. You simply look at the incident that has just occurred and ask yourself: “What can we learn from this incident?” There are always ways in which your security can be improved, and this is the only real good that can come out of a cyber-attack.


Whether your breach is large or small, PCH Technologies can help you with your security incident management efforts. All six phases require trained experts to handle them properly, and providing those trained experts is one of the things we do best. If you would like to know more, call (856) 754-7500.