Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
New privacy legislation in 2018 saw a dramatic increase in the number of data breach notifications. The 2018 British Airways data breach had more than 380,000 customers’ payment card details stolen by hackers. This contributed to a long line of data breaches making the headlines in the UK, after some of their biggest brands like Superdrug, Carphone Warehouse, Currys, Dixons Travel and PC World were hacked earlier in the year. Read the blog to explore the 5 key steps to mitigating risk.
The scale of the British Airways’ breach isn’t huge compared to some of the mega-breaches we’ve seen over the past few years, however, losing 380,000 customers’ card details is a big deal for an organisation whose reputation is built on public trust; additionally for any company processing European Union citizen personal information, the General Data Protection Regulation (GDPR) makes each breach potentially more damaging than ever before. When GDPR was introduced in May 2018, few would have predicted the volume of breaches that would come to be admitted just a few months later.
In the UK alone since GDPR’s commencement in May 2018, the domestic privacy regulator has received more than 8,000 reports of personal information being lost or stolen. GDPR mandates that when an organisation suffers a breach of personal information of any number of European citizens, the office of the Information Commissioner (ICO) must be notified within 72 hours unless there is unlikely to be a risk to the rights and freedoms of the affected individuals.
Furthermore, UK citizens and residents are encouraged to complain to the ICO if they think their personal information has been misused or not secured to an appropriate level, which encourages companies to get on the front foot rather than having a complaint to the ICO raise the alarm.
Gemalto’s Breach Level Index (BLI) suggests there has been more than 13 billion stolen records since 2013 yet looking back at BLI’s 2018 First Half Report, it reported just under 3.5 billion records breached since the start of 2018, so that’s over a quarter of the declared breaches of all time in just six months.
It’s unlikely that the threat level has increased by more than 25% in the year, but the quality of the breach information we have has increased dramatically. This data shows that many breaches were not reported, either as a cover up or because the organisation didn’t know they were obliged to tell anyone about it (or were not required to notify anyone).
Now that GDPR has arrived, and mandatory data breach notifications are also required in Australia, more and more companies understand their obligations and would prefer to stay on the right side of the law than worry so much about the wrath of angry customers.
In fact, there is sufficient evidence to show that people have generally accepted that data breaches occur, and they critique the company on their response – i.e. was the notification timely and did the company do everything it could to minimise the harm the breach may cause?
Since data breaches are somewhat inevitable and even with the best security controls in place, just one slip up could see your data going missing, one of the most important things companies can do is adequately prepare for managing the incident.
It pays to develop your incident response processes long before there are needed, and regularly review them to ensure they remain current and relevant. The worst time to be figuring out who does what and who has authority to act during a breach is just after it happens – since even the most experienced teams can find dealing with the chaos of incident response challenging.
The concept of running a cyber fire drill has been around for some time, whereby you practice a full-scale incident response, engaging all the appropriate teams, managers and external stakeholders to ensure everyone knows their role and the process is efficient and effective.
The most critical role of incident manager (IM) requires someone who can think clearly and concisely and doesn’t have any issues about making hard decisions. The IM needs authority to act in the best interests of the company, which means swift action to shut down a website or isolate a network is agreed to be the right response, even if it means the company loses revenue.
There must be a no blame policy for IM decision making, otherwise the company’s culture will see incident managers not make the best decisions, since they will make decisions that protect themselves from blow back.
The other thing that a cyber fire drill will highlight is whether the right team can be assembled to manage the crisis. In some cases, the team might comprise well-qualified staff, but if they are not able to drop everything and fulfil their role in collaboration with the IM, then your handing of the incident won’t be effective.
Subject matter experts (SME), such as system administrators, application designers, network engineers and data owners, all need to be engaged during the incident response process, so each nominated SME should already be familiar with your company’s incident response processes and know their level of delegated authority when engaged by the IM.
To reiterate what we said earlier in this post, organisations need a tried and tested incident response plan to ensure they respond as soon as possible and minimise the harm a breach can cause. The following five steps should help you respond in a way that minimises the damage and mitigates the risk of serious reputational damage.
As soon as your security team spots the incident and raises the alarm, the IM should spring into action. This means they quickly assess the risks and potential scope and harm the attack might cause and the appropriate team members are assigned tasks.
Clear terms of engagement should be set out for each incident response team member, and expectations set as to what the IM needs from them in the first 30 minutes. This gives the team clear instructions with clear authority to carry out their tasks.
The very first responsibility of the team is to gauge the extent of the breach and stop it getting any worse – this step is known as containment in incident response parlance. It may be that the team install missing patches or lock specific user accounts to stop any further escalation. Depending on the nature of the breach, the IM might also need to contact external third-parties, since the data might have gone outside of your own network.
Once you feel the breach has been contained, it’s time to fully assess what damage has been done and then set in motion the appropriate longer term responses to handle the fall out. Never underestimate the extent of a breach, especially if the data has gone outside of your organisation, since it’s not possible to guarantee you have found all copies of the data.
It’s better to start by asking yourself how the information might be misused by an attacker. If it might be useful to a criminal attempting identity theft, such as for signing up for a phone contract or getting false identification, such as a driver’s license, then it should be treated as severe and the police should be told (as well as the information commissioner).
You should not notify a breach without the facts. With GDPR, for example, organisations must notify within 72 hours, for a very good reason. The preceding three steps should all be undertaken within that 72-hour period, since the best way to minimise harm is to act quickly. It is then time to notify the information commissioner.
Ensure that you also notify everyone that needs to be told about the breach, including affected individuals. Other regulators may also need to be informed. In the financial services sector, for example, the APRA will need to be notified when a breach occurs. Maintaining a list of the appropriate contacts will help make sure no one is left out.
A post incident review (PIR) is a wash up meeting where everyone involved in incident management and response explains what happened and calls out any problems with the people, processes and technology they encountered.
Even if you are running a cyber fire drill, the PIR Is the best way to see issues with your processes and get them fixed before a real incident occurs.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.