How to survive your first data breach
With GDPR shortly coming into force, here’s some of the advice we’re providing clients on how to handle a public data breach
Welcome to another edition of Cyber Security: Beyond the headlines. Each week we’ll be sharing a bite-sized piece of unique, proprietary insight from the data archive behind our high-quality, peer-reviewed, cyber security case studies.
A poorly handled incident response to a data breach often causes more damage to the company than the breach itself.
You’d expect this to be self-evident, but unfortunately many organisations are yet to fully grasp this.
Senior management continue to labour under the illusion that the incident_response_plan_final_FINAL.docx sitting on the shared drive, produced a couple of years ago by their preferred professional services firm, is going to save their bacon when the inevitable happens.
Don’t believe us? Well here’s three examples in our repository from just the last six months:
- First, take Equifax and their disclosure that they had exposed the personal data of 143 million Americans. One particular ‘highlight’ of their haphazard incident response involved the company directing affected consumers to a bug-ridden website that was flagged by some browsers as a phishing threat. Result: The company ended up losing almost their entire senior management team, including the CEO, CIO and CSO.
- Next we’ve got the breach of the SEC’s document management system and an understated incident response that involved a blink-and-you’ll-miss-it disclosure. Result: Heavy criticism for lack of detail and timing — a very difficult position for a regulator to find itself in when pushing for public companies to promptly disclose cyber events.
- Finally, Deloitte’s incident response to the breach of their corporate email system delayed the initial public disclosure until many months after it had actually occurred. Result: Open mockery from the global cyber security community and accusations that the firm downplayed the event to mitigate its commercial impact.
These examples show how crucial it is to adopt the mindset that planning your company’s incident response is an iterative exercise. Stakeholder expectations increase and the external threat environment continues to evolve. Your company’s internal environment is also continually changing, for instance when employees join or leave, when customers’ requirements change and when improvements to your technology are implemented etc.
The concept of a completed incident response plan should therefore be considered an anathema. It is a living process that has to be continually reviewed and updated from real-life incidents to match the changing internal and external landscape.
To help our clients achieve this we continually draw on the analysis of the real-life data breaches in our repository and provide ongoing detailed guidance on how their incident plan should evolve as both the threats and stakeholder expectations adapt. Here’s a summary of some recent guidance we’ve provided:
Deliver a swift response opting to ‘over-react’ where the full facts remain unclear
When faced with a cyber bank robbery, Tesco Bank’s swift response with a clear intent of putting their customers’ interests first helped them to recover from the event. By detecting what was happening early on, the company was able to respond quickly and engage in immediate countermeasures.
Ensure key stakeholders have inimitable contact points
When the Financial Times suffered a hacktivist attack they benefited from having publicly recognisable employees who were able to liaise with ‘connected’ social media accounts to enable a quicker resolution to the disruption. Having an established trusted contact point (and back ups) within your organisation for other stakeholders that can’t be mimicked by the attackers is crucial.
Practice the response plan with all elements involved
The AA were accused of a ‘cover-up’ due to their confused communications about their supplier’s breach of their customers’ data and what customers needed to know. Eventually the senior management team got dragged into operational issues as the line managers lacked the organisational authority to react to the unfolding crisis on-the-fly. Regular practice runs of the incident response plan with all involved stakeholders is crucial to make sure it stands up under the pressure of a breach.
Ensure the board has made key decisions before an incident occurs
After Ubiquiti Networks experienced a BEC cyber attack in 2015 which cost them $39.1 million it became clear that their board at that time was simply not up to the job of being effective custodians of the business. It’s vital that businesses ensure that they have correct experience and skills at board level to handle such an incident and then take the time to contemplate how they would respond. Our repository provides us with great insight into the precise questions they should be considering, for instance:
- Do we plan to disclose the breach as soon as its discovered, only once the initial investigations are complete or wait until we have the full facts?
- What’s our policy towards ransom demands where our data is at risk of exposure?
- If the attack involves a systems intrusion, what’s our plan to ensure our stakeholders know they are dealing with an authentic employee rather than an imposter?
- Does it make sense for our business to have a bug bounty programme? if so, what are the terms e.g. will we obligate researchers to stay quiet?
- What should our HR protocol be where data was breached due to an insider?
- How should our communication plan differ when it’s one of our suppliers rather than us that breaches our customers’ data?
In a world buzzing with the potential of artificial intelligence and machine learning the prevailing view is that data is an asset, to be mined for future riches. But this seems to have blinded us to the fact that it’s also a liability. In many cases custodianship of this data should be approached in same way as other valuable liabilities, such as bank deposits.
Unfortunately most companies have not taken this approach and with GDPR just around the corner time has run out to change direction. They quickly need to recognise that the court of public opinion can dish out a far harsher penalties than any regulator and start regularly reviewing their incident response plan with real-life events and practising the response it outlines.
Found this interesting? Sign up to receive these insights every week directly in your inbox and check out our previous editions at Cyber Security: Beyond the headlines.
