What’s the difference between an event and an incident?
IT teams face all sorts of new and exotic challenges – just ask Norsk Hydro and Aebi Schmidt. Of course, most IT hiccups aren’t that serious or spectacular. But they can prove troublesome if not defined and dealt with correctly.
There’s often confusion about the difference between an ‘incident’ and an ‘event’. Neither sound very appealing, but it’s important to be clear on which means what and, crucially, how the distinction helps us respond in the right way.
As Databarracks earns its bacon protecting companies’ data, here’s how we define the terms.
An event is any observable occurrence in your IT infrastructure. An event can be something as benign and unremarkable as typing on a keyboard or receiving an email. Each time that happens, it counts as an event.
An event doesn’t have to be a problem; updating your firewall is an event.
Security Events are events that could affect your information security specifically. Businesses will face many of these – security measures deal with most of these and are unnoticed or not acted upon.
An alert is a notification that an event has happened. The alert goes to those responsible for taking action (if needs be). Not every event demands an alert – just those that will require action. If you set your threshold too low, you’ll be buried in alerts and won’t see real issues through the noise. Set the threshold too high and you won’t have enough warning to take preventative action.
A problem is the cause, or potential cause, of an incident. A problem can be flagged before it has caused an incident. It’s a lot better than reviewing after an incident has taken place. Active monitoring and up to date resilience measures help nip potential incidents in the bud. This is why a problem is not the same as an event – an event can be routine and benign and not require action or escalation. A problem needs addressing, ideally before it becomes an incident.
Not all events are incidents, but all incidents are events. Like how all thumbs are fingers, but not all fingers are thumbs. An incident is an event that negatively affects IT systems and impacts on the business. It’s an unplanned interruption or reduction in quality of an IT service. For example, a DDoS attack, or flooding of a server room are both incidents. Events don’t have to be negative – incidents always are.
A Security Incident has a similar relationship to a Security Event. It specifically affects a business’ information security – normally by damaging or breaching it. Again, while the majority of Security Events don’t need dealing with, a Security Incident requires action.
A series of incidents (or a serious incident) can become a Crisis. The definition of a Crisis varies from business to business – but a large part of what makes a Crisis is its scope. If an incident, or series of incidents, significantly disrupts day-to-day activities, it’s probably a Crisis and demands assembling the Crisis Response or Crisis Management Team.
There’s no one size fits all definition.
It’s important for a business to have its own threshold for defining if something is a problem, incident or crisis. Without set rules, you lose valuable time deciding how and when to escalate and take action.
For full details on incident response for cyber security, read ‘How to Write a Cyber Incident Response Plan’.
Defining events and incidents is more than semantics. A common language brings collaboration between security, compliance, privacy and legal roles. Understanding the definitions guides your responses, improving your protection from regulatory and reputational risks.