[BreachExchange] Knowing your ‘knowns’ and managing the unknown: preparing for and responding to cyber incidents
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Nov 23 18:05:34 EST 2016
http://www.continuitycentral.com/index.php/news/business-
continuity-news/1586-knowing-your-knowns-and-managing-the-
unknown-preparing-for-and-resp
preparedness.
Cyber attacks and data breaches are here to stay. As long as confidential
commercial data and personal information hold a financial value on the
black market, the battle between cyber criminals and corporations will
continue.
They are also very costly – UK telecoms group TalkTalk admitted to losing
£60 million in revenue and 100,000 customers following their data breach in
2015 and Sony Pictures is estimated to have lost between $35 million and
$100 million following a systems hack in 2014.
Yet the 2016 UK Government Cyber Health Check and survey of FTSE 350
companies had some surprising results; only 33 percent of boards felt they
fully understood their own cyber risk appetite; 49 percent had a clear
understanding of the potential impacts of a cyber crisis, and 15 percent
felt cyber was a technical issue which did not warrant board attention.
These results are of considerable concern given experts recognise it is a
matter of when, not if, a cyber attack or data breach will occur.
The United Kingdom’s House of Commons Select Committee recently noted, in
its review of the TalkTalk data breach, that cyber incident preparation,
awareness, enforcement and responsibility should be higher on
organizations’ agendas. Where it is not, organizations risk being perceived
as having failed in their duty of care to customers and shareholders when
the worst occurs.
With high profile calls for executive pay to be linked to cyber
preparedness, and annual reports potentially required to include sections
on cyber security, it is time to understand what being prepared for a cyber
crisis means.
FOUR CYBER CRISIS PREPAREDNESS LESSONS
Appoint a cyber czar – governance, responsibility and accountability are
critical
Corporate boardrooms are beginning to recognise cyber risk but there is
still no clear ‘owner’ of this varied, often technical, and always complex
issue. While many organizations have a chief information officer, chief
technology officer or chief information security officer, there is seldom
an executive leader with the right level of understanding, accountability
or authority to lead a cyber strategy.
A cyber preparedness strategy requires a statement of ownership and defined
responsibilities across your organization. It must bring together the
groups involved in a cyber response – from IT, information security and
risk, to customer services, HR, communications and general counsel to name
a few. While cyber security is primarily a technical issue, the response to
a cyber incident involves a much wider group, but this is all too often
missed.
Clear policies and cross functional relationships need to integrate the
cyber programme with your organization’s other operational and strategic
activities.
Your organization also needs a clear understanding of its own cyber risk
appetite and the impacts cyber threats may create. Only then can you start
to prepare the organization to be cyber aware.
Know your cyber facts – knowledge is power
Lack of cyber awareness at all levels of an organization – from executive
and management teams to operational service providers and front of house
staff – is a serious risk. It can unravel all the good work done by
information security teams.
Repeatedly we see senior executives shocked by the pace, complexity and
uncertainty of a cyber incident. Organizations are often left grasping for
facts in the face of experienced – and today often technically adept –
journalists with questions they should know the answers to, leading to
public outrage and disappointment at their inability to provide reassurance.
There is no excuse not to have at your fingertips key facts about your
systems, data, encryption, budgets and the other areas you know the media
and other stakeholders will want details of. What has been accessed? How
many records have been stolen? How did ‘they’ defeat cyber defences /
defenses? These are questions there may not be answers to, but there are
others that can – and should – be answered: how many records do you hold?
What is encrypted? What data do you hold? What data do you share? Far too
often the answers to these questions have not been prepared.
Each function supporting your organization’s cyber crisis response should
know its role, strengths and vulnerabilities:
Is your executive management team informed enough on the issue to make
strategic decisions? Do they know what critical data the organization owns,
how much risk it creates and what a hacker could do with it? Do they
understand how long it may take to investigate an attack and that it may be
weeks or months for some certain facts to be confirmed?
Could your communications team respond to stakeholder questions with cyber
facts? Are they trained on the contents of the cyber crisis
communication plan? And has it been tested and discussed with legal?
Do you have technical specialists who understand the wider worlds of
cyberspace: the dark web, bitcoin payments, Tor and so on? Can they reach
into these worlds safely? Can they conduct the forensic analysis needed to
investigate a breach or do they need external support? Is there a plan, and
contract, in place to provide that support as fast as possible?
Has your information security team conducted cyber due diligence on your
suppliers – could an attacker gain access to your systems via a third party
interaction? Have you had a cyber preparedness assessment?
Does your legal team understand the potential liabilities of a data breach?
Do they have the correct external relationships to support rapid decision
making?
Do your risk and finance teams understand your insurance position, business
interruption or cyber remediation cover, compensation policy and credit
monitoring approach?
Cyber risk awareness is a broad and important area requiring strong support
across the organization.
Prepare – it is the only way to deliver a credible, professional response
to a cyber crisis
If we accept that cyber incidents are inevitable and a critical reputation
risk, preparing an effective cyber incident response is no longer an option.
The speed of the response can determine how well the situation will be
managed and resolved. A quick response requires pre-prepared tools,
processes, procedures, checklists and structures, as well as responders who
understand their roles and responsibilities and recognise where they are
empowered to act.
While high impact cyber incidents are, in many ways, similar to other
crises a senior management team might face, their uncertainty and
complexity provoke unique challenges.
Crisis management frameworks and capability should be reviewed against
cyber scenarios; crisis management plans may benefit from a ‘cyber response
annex’; and exercises should build your teams understanding and competence
in the risk and be conducted at different levels.
Give technical teams a chance to use their analytical tools, understand how
long the various proposed actions might take, practice detailed tracking
and log analysis, test information flows and reporting, and ultimately
manage a coherent technical response. Work flows should not just be on
paper – they need validating in real time to reveal gaps and potential
issues.
Give senior executives the chance to acquaint themselves with cyber risk in
‘peacetime’ and realise how complex a data breach response can be. During
cyber exercises we frequently see them develop very different response
strategies to other crisis scenarios.
Scenarios should also explore the links between incident management and
crisis management levels – referred to as silver and gold by some, tactical
and strategic by others – to test information flow and situational
awareness.
Avoid repeating your errors – identify and embed the lessons
There is often a tendency following a crisis or near miss to breathe a sigh
of relief and rush back to business as usual. But there is much still to
do. It is important to understand why the incident happened in the first
place, as well as identify and learn lessons from the incident response to
improve for next time.
We frequently observe, however, organizations failing to learn lessons from
incidents they – or others – have suffered. Even when an investigation is
carried out, the lessons are not always widely shared, let alone learnt.
Suffering a cyber incident is only unfortunate the first time, if it
happens a second or third – when attackers start to recognise a vulnerable
organization as a weak target – and you fail to respond effectively, it
will not go unnoticed.
Conducting a post incident review, identifying what worked well and didn’t,
is a sign of a mature organization keen to learn and develop. Taking the
lessons and then generating change is an even greater challenge but does
more than repay the effort. Non-executive directors and other board members
can provide the much needed leadership and governance to ensure reviews are
done, lessons are carried forward, and incidents do not repeat themselves.
SUMMARY
As stated earlier, good cyber incident response can make or break an
organization’s reputation. If your organization can get its cyber security
governance, cyber awareness, cyber incident response preparedness and
review process right, you will be on the right path.
Cyber risks and crises are here to stay – start work now to ensure your
organization does not suffer unnecessary financial and reputational impacts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161123/51ebbf13/attachment.html>
More information about the BreachExchange
mailing list