6 critical steps for responding to a cyber attack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123459644/6-critical-steps-responding-cyber-attack

Cyber security affects all businesses and industries and it is now a
board-level agenda item, placed at number three on the Lloyds Risk Register
(2013). Dealing with cyber attacks is a “whole of business” issue,
affecting every team within an organisation. It is also a people and
operational issue, rather than just a technical issue.

In today's modern environment, where every single organisation is reliant
to a certain extent upon technology and telecommunications, it is not a
case of "if" a cyber security breach occurs, but rather a case of "when".

When a breach is discovered, it is essential to act comprehensively and
quickly, or it may expose the business to greater liability. There are six
critical steps the organisation must take to deal with it.

It is important to bear in mind that these steps are not sequential – in
practice, it will be necessary to think about most of them in parallel,
particularly in the initial aftermath of the breach where the priorities
will be to contain it in order to mitigate any risk of further damage or
loss of data.

1. Mobilise the incident response team

An incident response team should be formed and include all relevant
internal stakeholder groups, such as a technical team to investigate the
breach, HR and employee representatives where the breach affects employees,
intellectual property experts to help minimise brand impact or recover
stolen IP/information, data protection experts where personal data is
involved, and public relations representatives. There may also need to be
external representatives – for example, where the internal teams do not
have sufficient capability or capacity.

The team should also include representatives from the organisation's legal
team and possibly also external counsel. There are a number of legal
implications of any cyber attack, and it will therefore be of vital
importance to the organisation to seek legal advice as soon as possible
after becoming aware of an attack.

As part of this, it will also be necessary to check whether losses from a
cyber attack are covered under the organisation's existing business
insurance policies. Where there is insurance in place, the organisation
will need to review the relevant policies to determine if insurers must be
notified of a breach. Some policies cover legal and remedial costs, but
only from the date of notification.

2. Secure systems and ensure business continuity

Following a breach, the first key step from a technical perspective will be
to secure the IT systems in order to contain the breach and ensure it is
not on going.

This could mean that an organisation has to isolate or suspend a
compromised section of its network temporarily or possibly even the entire
network. This can of course be extremely disruptive and potentially costly
for the business.

It is necessary also to consider how and when the breach was detected, and
whether any other systems have been compromised. Organisations should have
in place suitable measures to ensure that any network or other intrusions
are detected immediately.

3. Conducting a thorough investigation

An investigation will need to be carried out as to the facts surrounding
the breach, its effects and remedial actions taken. The organisation will
need to decide who should take the lead on the investigation and ensure
that they have appropriate resources available to them.

Where there is potential employee involvement in the breach, the
investigation will also need to take into account any applicable labour
laws, and the investigation team should therefore consult and involve HR
representatives as appropriate.

Finally, the investigating team will need to ensure that they document any
and all steps taken as these may be required as part of any regulatory
notification to be submitted. In practice, investigations are usually
iterative: further lines of enquiry will become apparent as the
circumstances surrounding the breach become clearer.

Whenever there is a breach, it is important to feed back the conclusions
from the investigations into the policies and procedures in place and the
incident response plan, and to ensure that employees are given appropriate
notice and training on them.  Regulators are often just as interested in
what has been done to remedy processes going forward, as in the breach
itself.

4. Manage public relations

This will be a key requirement of the incident response team, particularly
where the organisation involved is a consumer-facing organisation.

Not all security breaches will become public, but for many it will be
inevitable – for example, where customers' personal data has been
compromised and is in the public domain, or where the relevant data
protection legislation requires the affected individuals to be notified.
Being timely in managing announcements to the public and being accurate,
open and honest in the messages given are crucial.

5. Address legal and regulatory requirements

Specific legislation may contain regulatory notification requirements that
apply in the event of a breach. Although most jurisdictions do not (yet)
have a specific and all-encompassing cyber security law, there is often a
patchwork of laws and regulations that have developed in response to
evolving threats.

Some of these laws will apply universally across sectors, whilst
industry-specific legislation is continuing to develop to target the most
at-risk sectors – for example, financial services, critical utilities
infrastructure and telecommunications.

In the US, the legal patchwork includes: the National Institute of
Standards and Technology Cybersecurity Framework, which consists of
standards, guidelines, and practices to promote the protection of critical
infrastructure; and Executive Order 13636, which, amongst other things,
expanded the existing programme for information sharing and collaboration
between the government and the private sector.

In the EU, organisations should pay particular attention to data protection
legislation. The proposed new Data Protection Regulation in Europe includes
a mandatory obligation for organisations across all sectors to inform their
relevant data protection authority of any security breaches, including the
facts surrounding the breach, its effects and any remedial actions taken by
the organisation.

The EU is also proposing a new Cyber Security Directive, which would
include a requirement for "market operators" (for example, electricity,
oil, gas, transport, financial/banking etc.) to report security incidents
to the competent authority.

Some legislation may also require, in addition to a regulatory
notification, the notification of individuals whose data have been
compromised as a result of the cyber security breach.

Deciding who to notify is not easy – it may not be possible to identify
whose data has been affected, as opposed to whose could have been affected.
If an organisation has many millions of customers, the prospect of
notifying all of them should not be taken lightly.

6. Incur liability

Unfortunately, no matter how prepared an organisation is, it is nonetheless
likely to incur some form of liability in the event of a cyber-security
breach. There are various ways in which an organisation could incur this
liability.

There could be direct non-legal liability as a consequence of a cyber
attack. This liability could arise, for example, through blackmail
attempts, theft, ransomware and ex-gratia payments that an organisation may
choose to make from a public relations and customer relationship
perspective. This final category can be a major cost to organisations
following a cyber attack but can really help to mitigate any damage to the
customer relationship. For example, an organisation for which customer
credit card details have been compromised might choose to offer
complimentary credit screening for the affected customers for a period of
time.

There will very often be regulatory liability resulting from cyber security
breaches. From a data protection perspective, current EU law requires
organisations to have in place appropriate technical and organisational
security measures to protect personal data. If an organisation is found to
have failed in its implementation of this regulatory requirement, it could
be subject to a penalty. In the UK, the current maximum fine under the Data
Protection Act 1998 is £500,000, and Sony was fined £250,000 by the UK
Information Commissioner for its PlayStation breach in 2011.

However, if the EU's proposed new Data Protection Regulation is adopted,
this could see the maximum fines being increased to €100 million or 5% of
the organisation's annual worldwide turnover, whichever is the greater.

In certain areas, sector-specific regulation could also apply. In the UK
financial services sector, the regulator has historically levied greater
fines for security breaches than the Information Commissioner. For example,
in August 2010, the FSA fined Zurich Insurance Plc £2.275 million following
the loss of 46,000 customer records on an unencrypted backup tape, which
was being sent to a South African subsidiary for processing.

Liability for cyber security breaches could also be incurred in litigation
for breach of statutory obligations, breach of contract, breach of
equitable duties, and negligence. To date, the majority of cases have
occurred in the United States. For example, in March this year, Target
agreed to pay $10 million in a proposed settlement of a class-action
lawsuit related to its 2013 breach.

Although the focus of this article has been on what to do in the event of a
breach, it is also important to bear in mind that there are a number of
proactive steps that organisations can take in order to mitigate the risk
of a cyber attack before it happens.

In particular, organisations should carry out a comprehensive assessment of
their existing processes and procedures, identifying what needs to be
protected and assessing the specific risks and potential impacts on the
business.

Thereafter, a response plan should be put in place including designating a
suitable response team and making any necessary changes to policies and
procedures to deal with any immediately apparent issues.

In addition, given that many data security breaches happen as a result of
employee action or inaction, user education and awareness is crucial.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!