How businesses can reduce cyber risk: pre and post incident

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123459671/how-businesses-can-reduce-cyber-risk-pre-and-post-incident

As the volume of sensitive data that businesses store ever increases, the
use of mobile devices continues to grow and cyber villains become ever more
sophisticated, it is perhaps of no surprise that we hear about new
instances of information theft and data loss on a daily basis.

It has been recently reported that the average cost per lost or stolen
record is $154 and that over 90% of companies with more than 250 staff have
experienced a security breach at some point.

These breaches can expose the company to real financial loss, risk of fines
and serious brand and reputational damage. There is therefore certainly no
room for complacency when it comes to the risks posed by data breaches and
cyber attacks.

It is important to also note that it is not just criminals out to steal or
disrupt business that pose a risk. Employees or business partners often
compromise data by accident, through negligence or with malicious intent
and business competitors, increasingly from the east, that wish to gain an
economic advantage present a greater risk than ever.

Given the range of threats, coupled with the sanctions available to
European regulators (fine levels being set to increase significantly under
new EU laws), strategising to reduce the risk of breaches and implementing
plans to deal with them once they occur should be prioritized at board
level, regardless of a company’s size.

But what precisely should businesses be doing to reduce their risk profile
in the pre and post incident environment?

What the law says

The UK Data Protection Act 1998 (DPA) requires a risk-based approach to
security and requires organisations to take “appropriate technical and
organisational measures … against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or damage to,
personal data”.

In other words, there is no one-size-fits-all solution as far as the DPA is
concerned when it comes to data security and rather bespoke analysis and
actions are required. The measures taken by an organisation will depend
largely on the size and nature of a business, the amount of data it
processes, and the sensitivity of that data.

Another key issue requiring bespoke analysis is in relation to breach
notification and reporting when a breach occurs. There is currently no
mandatory breach reporting under the DPA, although some bodies have
instituted their own requirements (e.g. central government).

UK privacy watchdog the Information Commissioner’s Office (ICO) does
currently encourage self-reporting of breaches (and also that affected data
subjects are notified) in appropriate circumstances, but as things stand
there is no strict legal obligation to do so. There are exceptions to this
under different pieces of UK legislation – for example, providers of public
communications services are required to notify the ICO where breaches occur.

This is set to change, however, following the introduction of the new
EU-wide Data Protection Regulation – reports to be made to supervisory
authorities within 24 hours have been proposed under this Regulation.

Any company’s breach notification policy will therefore need to be prepared
or updated with this regulation in mind.

Getting the basics right

So what can businesses do? Given the law, five levels and enforcement
priorities are changing so fast, it is almost impossible for businesses to
stay on top of it all and so it can be very helpful to bring in experienced
outside legal expertise to help initially identify and fix any gaps.

Some best practice tips that will help reduce cyber security threats
include: updated and enhanced training for staff; using reputable
anti-virus software relevant to all business areas; downloading software
updates as soon as they appear; using strong passwords; and deletion of
suspicious emails.

CESG (the information security arm of GCHQ) also recommends that an
‘information risk management regime’ should be developed across an
organisation, supported by the board and senior managers.

The company’s risk management policy should then be rolled out across the
organisation to ensure that everybody within the organisation from the top
down is aware of the organisation’s risk management boundaries.

CESG’s mantra reflects guidance on best practice emanating from the ICO,
which also suggests that there are four key elements to implementing a
cyber breach strategy.

First, designing and organising security (physical and technical) to fit
the nature of the data and harm that may result from a breach. Then,
setting out who in an organisation is responsible for compliance on a
day-to-day level.

Third, implementing the right physical and technical security, backed with
appropriate policies and procedures (covering details such as acceptable
and secure use of systems, mobile use policies, access to removable media
etc.) and well-trained staff.

And finally, being ready to quickly and effectively respond to any reports
of a breach.

Post-incident environment

With all the best will in the world, implementing a comprehensive plan as
outlined above only goes so far and cannot entirely eliminate the risks
associated with a security breach.

Companies also need a robust plan to consult with and expert resources at
the ready to call in should the worst happen.

Experience shows that even well-meaning and professional businesses are
generally falling well short at this second hurdle.

A well-developed reactionary plan should ensure that sufficient steps are
taken to immediately contain the breach and recover lost data, whilst at
the same time providing for a risk assessment to be carried out to consider
how serious the damage is or is likely to be.

Important decisions to grabble with in the post incident environment are
whether or not to involve the ICO by making a self-report and whether to
notify affected individuals.

Is the breach sufficiently serious?

Also, timing is crucial and detailed thought needs to be given as to when
should such notifications be made?

Self-reporting to the ICO will not always result in a lighter fine or the
avoidance of a fine altogether, but it can help (the ICO has gone on record
saying the same).

That said, a premature notification to the ICO and to individuals whom a
company believes may be affected can also cause more harm than good.

There is, more often than not, considerable merit in not “jumping the gun”
in terms of notifications to regulators and individuals until the key facts
have been established and the extent of the issue is clear – at least under
the current legal regime.

This is a critical phase and having the sounding board of pre-identified
counsel who have been though it before can be invaluable.

Companies should also consider whether their insurance products cover
against data breach costs, damage done, regulator fines levied and
litigation initiated by individuals affected by a breach.

Whilst such products are becoming increasingly popular, the consensus is
that they are still underused and can also be ineffective unless the cover
is carefully matched to the business.

Identifying those responsible for the policy who can liaise with insurers
following a breach is also an important exercise and can ease considerable
headaches down the line.

Cyber breaches can have very real impact on a business' reputation, brand
and bottom line.  The increasing fines and risk of legal suits as a result
also mean it is prudent to do some key work in advance to prepare.

Clear procedures and policies should be put in place that deal with the pre
and post cyber incident environment, which can help minimise exposure to a
security breach.  In addition, bespoke recommendations should be sought and
made as to staff training, a robust insurance policy and defined roles
within an organisation.

Given all of this work comes with a cost, board-level buy-in is undoubtedly
important.  Considering the increase in cyber incidents and increasingly
serious consequences to a business, the need to do some work in advance to
prepare for attacks should be viewed as an important and logical sell to
the executive team.

When it comes to cyber security, nothing should be left to chance and
companies should not be complacent.

Careful planning and preparations upfront, including accounting for the
pending legal changes at an EU level, will not only limit damage should a
breach occur but can also help avoid or minimise regulatory sanctions, be
good for a company’s reputation and vastly improve consumer trust and
confidence.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!