[BreachExchange] How Do You Know When A Cybersecurity Data Breach Is Over?

Destry Winant destry at riskbasedsecurity.com
Thu Mar 28 00:46:37 EDT 2019


People often ask, “When does the pain of a security breach finally
end?” The answer is often a surprise. It isn’t over when you’ve
removed a hacker or insider threat from your network environment, just
as it doesn’t begin with the discovery of patient zero of a cyber

It ends when your organizational attitudes toward cybersecurity revert
to what they were before the breach. The question is: "Is the return
to 'business as usual' a good thing?" Usually not, especially when you
think about how the breach began.

Most organizations I've worked with assume a data breach begins when a
hacker penetrates your network. But it actually starts long before —
with the sum of bad security habits, mismanaged mergers and
acquisitions, budget decisions that scrimp on security and bad choices
like relying on outdated equipment or not deploying security patches.

In this way, a breach can be a good thing because it wakes everyone up
— it serves as the greatest security awareness exercise possible. When
a breach occurs, everyone is interested in information security for a
brief duration — from the incident response and mitigation teams to
public relations.

A Never-Ending Story

In this disaster-movie atmosphere, there’s a need to be rescued. The
organization often enlists a team of cybersecurity experts to build
attack timelines for the complete incident response. Then there’s the
expectation that the infection and adversary will be ejected from the
environment and that the crisis has passed.

In reality, a breach is never really over. Years after, many companies
still invest their time in mitigating the lasting effects, including:

• Legal defense efforts and litigation

• Suffering sales departments

• Client management challenges

• Increased regulatory audits and compliance

• Additional meetings and new processes

• Difficulties obtaining cyber insurance

Organizations may also be confronted with the consequences of the
breach, such as brand damage and slower sales.

Now, security teams must spend their time on status updates and
deploying new technology. And underfunded teams may be asked to
perform a three-year security plan in six months — which isn’t usually

Not long after the fires are out, the board and C-suite may believe
the breach is over. This stems from the notion that security is
transactional — that security is something you bolt on, such as a door
lock. If you invest in it once, you’re protected, right?

Effective cybersecurity is rooted in an organizational culture that
values consistent and dedicated security practices and response
capabilities — and understands what it takes to have cybersecurity
strategies and programs that work.

Back To The Future

During the heat of the initial breach response, internal turf wars
temporarily stop, and there is unity and clarity. The company becomes
laser-focused on data protection, and budget for security also
generally becomes available.

But following this period of heightened security awareness, problems
may emerge, and old ways return. There is a limit to how much security
can be absorbed into the environment.  You might encounter a “gold
rush mentality” where the funds allocated for security attract those
seeking your business. And for the C-suite, there’s danger in putting
a cinematic “The End” on a breach. By becoming complacent and
returning to old habits and poor choices, it’s not the end but another
potential beginning.

The breach didn’t begin when hackers charged through the door. It
started when security wasn’t a priority, or when the company publicly
talked about it as an important priority but real support and
cooperation weren’t there. It began with the oversights and the lack
of funding and prioritization of resources — but not the resources for
security and privacy. It may have stemmed from focusing too much
attention on compliance — even when those actions actually harmed
security by focusing resources on ideas instead of actual capabilities
that can assist the defenders. Why? Failed audits can mean lost
bonuses for management, while poor security capabilities initially
produce only irritation.

How do you prevent another security incident? A first step is to build
awareness that you can't have world-class information security without
world-class IT. And you can’t protect your organization without
decisive decision making, coupled with conviction on how to manage
risks (like visibility gaps, mergers and acquisitions, and
observations about incidents).

No one cares about protecting your data as much as your own people.
While it’s great to have saviors on call during a breach, what you
really need is security experience as an integral part of your
organization's DNA for effective incident detection, analysis, and
response. And they should be trained and retained.

Make security a habit and a state of mind across the organization —
from the C-suite to every level of the organization. By returning to
the status quo, you may be leaving the doors and windows open to your
IT environment or a risky cloud migration, where cyber threats could
appear again.

Finally, roll all of this up into a three-year security plan, even if
you don’t have the budget today. Include strategies that can best
detect, disrupt, and respond to a cyber attack — all ideally based on
your real observations, not auditors’ workbooks.

And include effective plans for coordinated incident response to
mitigate damage, along with cross-functional teams for critical steps
such as your public response. When it comes to protecting your brand,
sales, and customers’ loyalty, you’ll be judged more on your response
than on the breach itself.

More information about the BreachExchange mailing list