What to look for when evaluating an Incident Response Services Provider

​Aaron Wooten,Managing Consultant, Incident Response, Trustwave SpiderLabs, APAC

With Australia’s mandatory data breach notification laws set to take effect by 23 February 2018, protecting sensitive information and data privacy has moved up the burgeoning list of an organisation’s IT security priorities.

Under the amended legislation, Federal agencies and organisations subject to the Privacy Act (APP Entities) will be required to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an “eligible” data breach.

APP entities include Australian government agencies and organisations and non-for-profits with an annual turnover of more than $3 million. Also included are some types of businesses with an annual turnover of $3 million or less such as private sector health care services providers and child care centres.

A failure to comply with the notification obligations can result anywhere from an investigation to, in the case of serious or repeated non-compliance, a fine of $360,000 for individuals or $1.8 million for organisations.

With only months to go before the legislation’s introduction, time is rapidly ticking down. Those organisations that haven’t already audited their current practices and procedures to ensure they are adequate to protect clients’ data need to do so now. They also need to ensure that they have a data breach response plan in place to enable the quick, lawful and efficient response to an actual breach or a suspected breach.

Some organisations will need to augment their in-house IT security resources with an incident response services provider.

For those organisations, outlined below are key considerations for evaluating incident response services providers to determine if they are the best fit:

Skills and experience

The skills and experience of incident response (IR) consultants need to be relevant to your vertical and the nature of the data breach. You need consultants who are experienced working with threat actors operating in your industry. Ask for customer references, case studies and CVs for the IR consultants who will be performing the work – not just those who might assist. Additionally, given that many services providers provide a broad range of offerings, ask what percentage of time consultants are actually performing incident response and forensic work for clients.


Many IR services providers can produce a laundry list of industry and vendor certifications. It is important that the certifications are either kept current, or that the services provider can demonstrate how key competencies are kept up-to-date within the organisation.

Research Capability

In the age of zero-day vulnerabilities and customised malware campaigns, IR services providers need to undertake in-house technical research to keep abreast of new threats facing customers. Ask for access to recent technical research articles, whitepapers and blog posts that show expertise in detecting, managing and resolving incidents.

Litigation support

Once the breach notification legislation takes effect, an increase in the number of reported data breaches and the potential increase in litigation is likely. When evaluating services providers, it is important to assess whether the provider can demonstrate prior experience with legal matters should the need arise. Experience in providing expert evidence in written or oral format for legal proceedings is essential.

Global coverage

Security incidents happen at any time of the day or night. Services providers should be able to commit to a defined service level agreement for responding to security incidents 24 hours a day, 7 days a week.

The mandatory data breach notification legislation demonstrates that the government is taking data breaches seriously. For organisations, the costs and reputational damage can be immense. Breaches are inevitable in today’s fast-evolving threat landscape. An incident response services provider can reduce the impact of the incident on your organisation – but they need to be the right fit for your organisation.